Administration guide > Secure the deployment environment


Security descriptor XML file

Use a security descriptor XML file to configure an eXtreme Scale deployment topology with security enabled. Use the elements in this file to configure different aspects of security.


securityConfig element

The securityConfig element is the top-level element of the ObjectGrid security XML file. This element sets up the namespace of the file and the schema location.

The schema is defined in the objectGridSecurity.xsd file.


security element

Use the security element to define an ObjectGrid security.


Attributes

securityEnabled

Enables security for the grid when set to true. The default value is false. If the value is set to false, grid-wide security is disabled. (Optional)

singleSignOnEnabled

Enables a client to connect to any server after it has authenticated with one of the servers when the value is set to true. Otherwise, a client must authenticate with each server before the client can connect. The default value is false. (Optional)

loginSessionExpirationTime

Amount of time in seconds before the login session expires. If the login session expires, the client must authenticate again. (Optional)

adminAuthorizationEnabled

Enables administrative authorization. If the value is set to true, all of the administrative tasks need authorization. The authorization mechanism that is used is specified by the value of the adminAuthorizationMechanism attribute. The default value is false. (Optional)

adminAuthorizationMechanism

Indicates which authorization mechanism to use. WebSphere eXtreme Scale supports two authorization mechanisms...

  • JAAS
  • custom authorization

The JAAS authorization mechanism uses the standard JAAS policy-based approach.

To specify JAAS as the authorization mechanism, set the value to AUTHORIZATION_MECHANISM_JAAS.

The custom authorization mechanism uses a user-plugged-in AdminAuthorization implementation.

To specify a custom authorization mechanism, set the value to AUTHORIZATION_MECHANISM_CUSTOM.

(Optional)

The following security.xml file is a sample configuration to enable the data grid security.

<?xml version="1.0" encoding="UTF-8"?>

<securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security/objectGridSecurity.xsd"
                xmlns="http://ibm.com/ws/objectgrid/config/security">

   
    <security securityEnabled="true" 
              singleSignOnEnabled="true" 
              loginSessionExpirationTime="20"
              adminAuthorizationEnabled="true"
              adminAuthorizationMechanism="AUTHORIZATION_MECHANISM_JAAS" >
        
           
        <authenticator className="com.ibm.websphere.objectgrid.security.plugins.
                       builtins.WSTokenAuthenticator">
               
        </authenticator>
               
        <systemCredentialGenerator className="com.ibm.websphere.objectgrid.security.
                                   plugins.builtins.WSTokenCredentialGenerator">
                   
            <property name="properties" 
                      type="java.lang.String" 
                      value="runAs"
                      description="Using runAs subject" />
           
        </systemCredentialGenerator>
    
       
    </security>
</securityConfig>


authenticator element

Authenticates clients to eXtreme Scale servers in the data grid. The class that is specified by the className attribute must implement the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface.

The authenticator can use properties to call methods on the class that is specified by the className attribute. See property element for more information on using properties.

In the previous security.xml file example, the com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenAuthenticator class is specified as the authenticator. This class implements the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface.


Attributes

className

Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface. Use this class to authenticate clients to the servers in the eXtreme Scale grid. (Required)


adminAuthorization element

U se the adminAuthorization element to set up administrative access to the data grid.


Attributes

className

Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.AdminAuthorization interface. (Required)


systemCredentialGenerator element

Use a systemCredentialGenerator element to set up a system credential generator. This element only applies to a dynamic environment. In the dynamic configuration model, the dynamic container server connects to the catalog server as an eXtreme Scale client and the catalog server can connect to the eXtreme Scale container server as a client too. This system credential generator is used to represent a factory for the system credential.


Attributes

className

Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.CredentialGenerator interface. (Required)

See the previous security.xml file for an example of how to use a systemCredentialGenerator class.

In this example, the system credential generator is a com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenCredentialGenerator class, which retrieves the RunAs Subject object from the thread.


property element

Calls set methods on the authenticator and adminAuthorization classes.

The name of the property corresponds to a set method on the className attribute of the authenticator or adminAuthorization element.


Attributes

name

Name of the property. The value that is assigned to this attribute must correspond to a set method on the class that is provided as the className attribute on the containing bean. For example, if the className attribute of the bean is set to com.ibm.MyPlugin, and the name of the property that is provided is size, then the com.ibm.MyPlugin class must have a setSize method. (Required)

type

Type of the property. The type of the parameter is passed to the set method that is identified by the name attribute.

The valid values are the Java primitives, their java.lang counterparts, and java.lang.String. The name and type attributes must correspond to a method signature on the className attribute of the bean. For example, if the name is size and the type is int, then a setSize(int) method must exist on the class that is specified as the className attribute for the bean. (Required)

value

Value of the property. This value is converted to the type that is specified by the type attribute, and is then used as a parameter in the call to the set method that is identified by the name and type attributes. The value of this attribute is not validated in any way. The plug-in implementor must verify that the value passed in is valid. (Required)

description

Provides a description of the property. (Optional)

See objectGridSecurity.xsd file for more information.


Parent topic:

Secure the deployment environment


Related concepts

Security integration with WAS
Data grid authentication
Data grid security
Application client authentication
Application client authorization
Transport layer security and secure sockets layer
Java Management Extensions (JMX) security
Security integration with external providers


Related tasks

Enable local security
Start and stop secure servers
Secure the REST data service
Start secure servers in a stand-alone environment
Start a stand-alone catalog service
Start container processes
Start secure servers in WAS
Start and stop servers in a WAS environment
Troubleshoot security

Related reference

objectGridSecurity.xsd file


Related information

Tutorial: Integrate WebSphere eXtreme Scale security with WAS
Tutorial: Integrate WebSphere eXtreme Scale security in a mixed environment with an external authenticator
Java SE security tutorial
Lesson 2.2: Configure catalog server security
Lesson 2.3: Configure container server security