Securing the external scheduler integration interface

Securing the external scheduler integration interface requires securing the JobSchedulerMDI system application and the JMS resources it uses.

About this task

The following diagram shows the actions required and the environmental artifacts to which they apply:

Securing the job scheduler message-driven interface steps. 1. Enable bus security, 2. Define JAAS alias for JobSchedulerMDI application, 3. Assign roles, 4. Authenticate client access to input queue

The following steps show you how to secure the external scheduler integration interface:

Procedure

  1. Enable bus security. Enable security for the JobSchedulerBus in the WebSphere administrative console:
    1. Click Security > Bus security > bus_name.
    2. Check the Enable bus security check box.
    3. Click OK, then Save your configuration.
  2. Define a JAAS alias. The JobSchedulerMDI application’s JMS activationSpec requires a JAAS alias. Give the JAAS alias a name of your choice. The User ID and password defined to this alias represents the job scheduler’s access to its inbound JMS queue, com.ibm.ws.grid.InputQueue. The JAAS alias is also used programmatically by the JobSchedulerMDI application for authenticating to the outbound queue that the job scheduler uses to communicate with its clients. The outbound queue is com.ibm.ws.grid.OutputQueue. Define the JAAS alias in the WebSphere administrative console:
    1. Select Security > Secure administration, applications, and infrastrucure > Java Authentication and Authorization Server > J2C authentication data.
    2. Save your configuration.
    3. Assign the JAAS alias to the activationSpec, com.ibm.ws.grid.ActivationSpec
  3. Set the authentication alias for the Inter-engine authentication alias field to the same value that is set in the Activation specification field.
    1. Select Security > Bus security > bus_name. The default value for the bus_name variable is JobSchedulerBus.
    2. For the Inter-engine authentication alias field, select the alias that you defined in the previous step.
    3. Click OK, and save your configuration changes.
  4. Set the authentication alias for the Container-managed authentication alias field.
    1. Select Resources > Resource Adapters > J2C Connection factories > com.ibm.ws.grid.ConnectionFactory.
    2. For the Container-managed authentication alias field, select the alias that you defined in the previous step.
    3. Click OK, and save your configuration changes.
  5. Assign roles. Roles must be assigned to authorize access to the bus and input and output bus destinations. These role assignments can be performed in the WebSphere administrative console: Security > Bus security > bus_name > Disabled > Users and groups in the bus connector role. This can also be done through wsadmin commands:

    $AdminTask addUserToBusConnectorRole {-bus busName -user username} or

    $AdminTask addGroupToBusConnectorRole {-bus busName –group groupname}

    The following role assignments must be made:

    1. JobSchedulerBus
      Assign the BusConnector role to the following user IDs:
      • Identity assigned to com.ibm.ws.grid.ActivationSpec. This permits the JobScheduler to access the bus.
      • Each identity used by WSGrid to authenticate client access to the input queue (see step 4 below). This permits the WSGrid invoker to access the bus.
    2. com.ibm.ws.grid.InputQueue
      Permit access to this destination by assigning sender, receiver, and browser roles to the same user IDs to which you assigned the BusConnector role in the previous step. This can only be done through wsadmin commands:
      $AdminTask addUserToDestinationRole {-type queue –bus
      JobSchedulerBus -destination com.ibm.ws.grid.InputQueue -role Sender -user userName}
      $AdminTask addGroupToDestinationRole {-type queue –bus
      JobSchedulerBus -destination com.ibm.ws.grid.InputQueue -role Sender –group groupName}
       AdminTask.setInheritDefaultsForDestination('-bus WSS.JobScheduler.Bus -type queue -destination com.ibm.ws.grid.InputQueue -inherit false'

      Repeat for receiver and browser roles.

    3. com.ibm.ws.grid.OutputQueue

      Permit access to this destination by assigning the same roles to destination com.ibm.ws.grid.OutputQueue as were assigned for com.ibm.ws.grid.InputQueue in the previous step.

  6. Authenticate client access to input queue. Specify user ID and password properties in the WSGrid input control properties file. For example, submitter-userid=username, submitter-password=password. The password can be encoded using the WebSphere PropFilePasswordEncoder utility.