Administration guide > Secure the deployment environment



Java Management Extensions (JMX) security

You can secure managed beans (MBean) invocations in a distributed environment.

For more information on the MBeans available, see Administer programmatically with Managed Beans (MBeans).

In the distributed deployment topology, MBeans are directly hosted in the catalog servers and container servers. In general, JMX security in a distributed topology follows the JMX security specification as specified in the Java Management Extensions (JMX) Specification. It consists of the following three parts:

  1. Authentication - The remote client needs to be authenticated in the connector server.

  2. Access control - MBean access control limits who can access the MBean information and who can perform the MBean operations.

  3. Secure transport - The transport between the JMX client and server can be secured utilizing TLS/SSL.


Authentication

JMX provides methods for the connector servers to authenticate the remote clients. For the RMI connector, authentication is completed by supplying an object that implements the JMXAuthenticator interface when the connector server is created. So eXtreme Scale implements this JMXAuthenticator interface to utilize the ObjectGrid Authenticator plug-in to authenticate the remote clients. See Security tutorial for details on how eXtreme Scale authenticates a client.

The JMX client follows the JMX APIs to provide credentials to connect to the connector server. The JMX framework passes the credential to the connector server, and then calls the JMXAuthenticator implementation for authentication. As described previously, the JMXAuthenticator implementation then delegates the authentication to the ObjectGrid Authenticator implementation.

Review the following example that describes how to connect to a connector server with a credential:

javax.management.remote.JMXServiceURL jmxUrl = new JMXServiceURL(
        "service:jmx:rmi:///jndi/rmi://localhost:1099/objectgrid/MBeanServer");

    environment.put(JMXConnector.CREDENTIALS, new UserPasswordCredential("admin", "xxxxxx"));

    // Create the JMXCconnectorServer
    JMXConnector cntor = JMXConnectorFactory.newJMXConnector(jmxUrl, null);

    // Connect and invoke an operation on the remote MBeanServer
    cntor.connect(environment);

In the preceding example, a UserPasswordCredential is provided with the user ID set to admin and the password set to xxxxx. This UserPasswordCredential object is set in the environment map, which is used in the JMXConnector.connect(Map) method. This UserPasswordCredential object is then passed to the server by the JMX framework, and finally passed to the ObjectGrid authentication framework for authentication.

The client programming model strictly follows the JMX specification.


Access control

A JMX MBean server might have access to sensitive information and might be able to perform sensitive operations. JMX provides necessary access control that identifies which clients can access that information and who can perform those operations. The access control is built on the standard Java security model by defining permissions that control access to the MBean server and its operations.

For JMX operation access control or authorization, eXtreme Scale relies on the JAAS support provided by the JMX implementation. At any given point in the execution of a program, there is a current set of permissions that a thread of execution holds. When such a thread calls a JMX specification operation, these are known as the held permissions. When a JMX operation is performed, a security check is done to check whether the needed permission is implied by the held permission.

The MBean policy definition follows the Java policy format. For example, the following policy grants all signers and all code bases with the right to retrieve the server JMX address for the PlacementServiceMBean, but with restriction to the com.ibm.websphere.objectgrid domain.

grant {
    permission javax.management.MBeanPermission
        "com.ibm.websphere.objectgrid.management.PlacementServiceMBean#retrieveServerJMXAddress 
                    [com.ibm.websphere.objectgrid:*,type=PlacementService]",
        "invoke";
}

Use the following policy example to complete authorization based on remote client identity. The policy grants the same MBean permission as shown in the preceding example, except only to users with X500Principal name as CN=Administrator,OU=software,O=IBM,L=Rochester,ST=MN,C=US.

grant principal javax.security.auth.x500.X500Principal "CN=Administrator,OU=software,O=IBM,
                L=Rochester,ST=MN,C=US" {permission javax.management.MBeanPermission
        "com.ibm.websphere.objectgrid.management.PlacementServiceMBean#retrieveServerJMXAddress 
                [com.ibm.websphere.objectgrid:*,type=PlacementService]",
        "invoke";
}

Java policies are checked only if the security manager is turned on. Start catalog servers and container servers with the -Djava.security.manager JVM argument to enforce the MBean operation access control.


Secure transport

The transport between the JMX client and server can be secured utilizing TLS/SSL. If the transportType of catalog server or container server is set to SSL_Required or SSL_Supported, then you have to use SSL to connect to the JMX server.

To use SSL, configure the truststore, truststore type, and truststore password on the MBean client using -D system properties:

  1. -Djavax.net.ssl.trustStore=TRUST_STORE_LOCATION

  2. -Djavax.net.ssl.trustStorePassword=TRUST_STORE_PASSWORD

  3. -Djavax.net.ssl.trustStoreType=TRUST_STORE_TYPE

If you use com.ibm.websphere.ssl.protocol.SSLSocketFactory as the SSL socket factory in the java_home/jre/lib/security/java.security file, then use the following properties:

  1. -Dcom.ibm.ssl.trustStore=TRUST_STORE_LOCATION

  2. -Dcom.ibm.ssl.trustStorePassword=TRUST_STORE_PASSWORD

  3. -Dcom.ibm.ssl.trustStoreType=TRUST_STORE_TYPE

To enable JMX secure transport for the container server, set the JMX service port. Use one of the following methods to set the JMX service port:


Parent topic:

Secure the deployment environment


Related concepts

Security integration with WAS

Data grid authentication

Data grid security

Application client authentication

Application client authorization

Transport layer security and secure sockets layer

Security integration with external providers


Related tasks

Enable local security

Start and stop secure servers

Secure the REST data service

Related reference

Security descriptor XML file

objectGridSecurity.xsd file

startOgServer script


Related information

Tutorial: Integrate WebSphere eXtreme Scale security with WAS

Tutorial: Integrate WebSphere eXtreme Scale security in a mixed environment with an external authenticator

ServerProperties interface