Administration guide > Secure the deployment environment



Application client authentication

Application client authentication consists of enabling client-server security and credential authentication, and configuring an authenticator and a system credential generator.


Enable client-server security

You must enable security on both the client and server to successfully authenticate with the ObjectGrid.


Enable client security

WebSphere eXtreme Scale provides a client property sample file, the sampleClient.properties file, in the was_root/optionalLibraries/ObjectGrid/properties directory for a WebSphere Extended Deployment installation, or the /ObjectGrid/properties directory in a mixed-server installation. You can modify this template file with appropriate values. Set the securityEnabled property in the objectgridClient.properties file to true. The securityEnabled property indicates if security is enabled. When a client connects to a server, the value on the client and server side must be set both true or both false. For example, if the connected server security is enabled, the property value must be set to true on the client side for the client to connect to the server.

The com.ibm.websphere.objectgrid.security.config.ClientSecurityConfiguration interface represents the security.ogclient.props file. Use the com.ibm.websphere.objectgrid.security.config.ClientSecurityConfigurationFactory public API to create an instance of this interface with default values, or you can create an instance by passing the ObjectGrid client security property file. The security.ogclient.props file contains other properties. See the ClientSecurityConfiguration API Documentation and ClientSecurityConfigurationFactory API Documentation for more details.


Enable server security

To enable the security on the server side, you can set the securityEnabled property in the security.xml file to true. Use a security descriptor XML file to specify the data grid security configuration to isolate the grid-wide security configuration from the non-security configuration.


Enable credential authentication

After the eXtreme Scale client retrieves the Credential object using the CredentialGenerator object, the Credential object is sent along with the client request to the eXtreme Scale server. The server authenticates the Credential object before processing the request. If the Credential object is authenticated successfully, a Subject object is returned to represent this Credential object. This Subject object is then used for authorizing the request.

Set the credentialAuthentication property on the client and server properties files to enable the credential authentication. For more information, see Client properties file and Server properties file.

The following table provides which authentication mechanism to use under different settings.

Table 1. Credential authentication under client and server settings
Client credential authentication Server credential authentication Result
No Never Disabled
No Supported Disabled
No Required Error case
Supported Never Disabled
Supported Supported Enabled
Supported Required Enabled
Required Never Error case
Required Supported Enabled
Required Required Enabled


Configure an authenticator

The eXtreme Scale server uses the Authenticator plug-in to authenticate the Credential object. An implementation of the Authenticator interface gets the Credential object and then authenticates it to a user registry, for example, a Lightweight Directory Access Protocol (LDAP) server, and so on. eXtreme Scale does not provide a registry configuration. Connecting to a user registry and authenticating to it must be implemented in this plug-in.

For example, one Authenticator implementation extracts the user ID and password from the credential, uses them to connect and validate to an LDAP server, and creates a Subject object as a result of the authentication. The implementation can use Java™ Authentication and Authorization Service (JAAS) login modules. A Subject object is returned as a result of authentication.

You can configure the authenticator in the security descriptor XML file, as shown in the following example:

<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd"
    xmlns="http://ibm.com/ws/objectgrid/config/security">

    <security securityEnabled="true" 
        loginSessionExpirationTime="300">
    
        <authenticator className ="com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator">
       
</authenticator>

    </security>
    
</securityConfig>

Use the -clusterSecurityFile option when starting a secure server to set the security XML file. See the Java SE security tutorial - Step 2 for samples on how to start a secure server.


Configure a system credential generator

The system credential generator is used to represent a factory for the system credential. A system credential is similar to an administrator credential. You can configure the SystemCredentialGenerator element in the catalog security XML, as shown in the following example:

<systemCredentialGenerator className ="com.ibm.websphere.objectgrid.security.plugins.
    builtins.UserPasswordCredentialGenerator">
         
<property name="properties" type="java.lang.String" value="manager manager1" 
                        description="username password" />

</systemCredentialGenerator>

For demonstration purposes, the user name and password are stored in clear text. Do not store the user name and password in clear text in a production environment.

WebSphere eXtreme Scale provides a default system credential generator, which uses the server credentials. If you do not explicitly specify the system credential generator, this default system credential generator is used.


Parent topic:

Secure the deployment environment


Related concepts

Security integration with WAS

Data grid authentication

Data grid security

Application client authorization

Transport layer security and secure sockets layer

Java Management Extensions (JMX) security

Security integration with external providers


Related tasks

Enable local security

Start and stop secure servers

Secure the REST data service

Related reference

Security descriptor XML file

objectGridSecurity.xsd file


Related information

Tutorial: Integrate WebSphere eXtreme Scale security with WAS

Tutorial: Integrate WebSphere eXtreme Scale security in a mixed environment with an external authenticator