Administration guide > Secure the deployment environment > Tutorial: Security in a mixed environment


Secure the deployment environment > Tutorial: Integrate WebSphere eXtreme Scale security in a mixed environment with an external authenticator >

< Previous | Next >


Module 2: Configure WebSphere eXtreme Scale authentication in a mixed environment

By configuring authentication, you can reliably determine the identity of the requester. WebSphere eXtreme Scale supports both client-to-server and server-to-server authentication.


Authentication flow

Figure 1. Authentication flow

Authentication flow diagram

The previous diagram shows two application servers. The first application server hosts the web application, which is also a WebSphere eXtreme Scale client. The second application server hosts a container server. The catalog server is running in a stand-alone JVM (JVM) instead of WAS.

The arrows marked with numbers in the diagram indicate the authentication flow:

  1. An enterprise application user accesses the web browser, and logs in to the first application server with a user name and password. The first application server sends the client user name and password to the security infrastructure to authenticate to the user registry. This user registry is a keystore. As a result, the security information is stored on the WAS thread.

  2. The JSPs file acts as a WebSphere eXtreme Scale client to retrieve the security information from the client property file. The JSP application that is acting as the WebSphere eXtreme Scale client sends the WebSphere eXtreme Scale client security credential along with the request to the catalog server. Sending the security credential with the request is considered a runAs model. In a runAs model, the web browser client runs as a WebSphere eXtreme Scale client to access the data stored in the container server. The client uses a JVM (JVM)-wide client credential to connect to the WebSphere eXtreme Scale servers. Using the runAs model is like connecting to a database with a data source level user ID and password.

  3. The catalog server receives the WebSphere eXtreme Scale client credential, which includes the WAS security tokens. Then, the catalog server calls the authenticator plug-in to authenticate the client credential. The authenticator connects to the external user registry and sends the client credential to the user registry for authentication.

  4. The client sends the user ID and password to the container server that is hosted in the application server.

  5. The container service, hosted in the application server, receives the WebSphere eXtreme Scale client credential, which is the user id and password pair. Then, the container server calls the authenticator plug-in to authenticate the client credential. The authenticator connects to the keystore user registry and sends the client credential to the user registry for authentication


Learning objectives

With the lessons in this module, you learn how to:


Time required

This module takes approximately 60 minutes.


Lessons in this module

< Previous | Next >