WebSphere eXtreme Scale Administration Guide >
Secure the deployment environment
To protect the WebSphere eXtreme Scale data, eXtreme Scale can integrate with several security providers.
WebSphere eXtreme Scale can integrate with an external security implementation. This external implementation must provide authentication and authorization services for eXtreme Scale. eXtreme Scale has plug-in points to integrate with a security implementation. WebSphere eXtreme Scale has been successfully integrated with the following components:
- Lightweight Directory Access Protocol (LDAP)
- Kerberos
- ObjectGrid security
- Tivoli Access Manager
- Java™ Authentication and Authorization Service (JAAS)
eXtreme Scale uses the security provider for the following tasks:
- Authenticating clients to servers.
- Authorizing clients to access certain eXtreme Scale artifacts or to specify what can be done with eXtreme Scale artifacts.
eXtreme Scale has the following types of authorizations:
- Map authorization
- Clients or groups can be authorized to perform insert, read, update, evict or delete operations on maps.
- ObjectGrid authorization
- Clients or groups can be authorized to perform object or entity queries on object grids.
- DataGrid agent authorization
- Clients or groups can be authorized to allow DataGrid agents to be deployed to an ObjectGrid.
- Server-side map authorization
- Clients or groups can be authorized to replicate a server map to client side or create a dynamic index to the server map.
- Administration authorization
- Clients or groups can be authorized to perform administration tasks.
If you had security already enabled for the back end , remember that these security settings are no longer sufficient to protect the data. Security settings from the database or other datastore does not in any way transfer to the cache. You must separately protect the data that is now cached using the eXtreme Scale security mechanism, including authentication, authorization, and transport level security.
- Grid security
WebSphere eXtreme Scale grid security ensures that a joining server has the right credentials, so a malicious server cannot join the grid. Grid security uses a shared secret string mechanism.- Enable local security
WebSphere eXtreme Scale provides several security endpoints to integrate custom mechanisms. In the local programming model, the main security function is authorization, and has no authentication support. You must authenticate independently from the already existing WebSphere Application Server authentication. However, there are provided plug-ins to obtain and validate Subject objects.- Application client authentication
Application client authentication consists of enabling client-server security and credential authentication, and configuring an authenticator and a system credential generator.- Application client authorization
Application client authorization consists of ObjectGrid permission classes, authorization mechanisms, a permission checking period, and access by creator only authorization.- Transport layer security and secure sockets layer
WebSphere eXtreme Scale supports both TCP/IP and Transport Layer Security/Secure Sockets Layer (TLS/SSL) for secure communication between clients and servers.- Grid authentication
You can use the secure token manager plug-in to enable server-to-server authentication, which requires you to implement the SecureTokenManager interface.- Java Management Extensions (JMX) security
You can secure managed beans (MBean) invocations in a distributed environment.- Security descriptor XML file
Use an ObjectGrid security descriptor XML file to configure an eXtreme Scale deployment topology with security enabled. The following sample XML files describe several configurations.- Security integration with WebSphere Application Server
WebSphere eXtreme Scale provides several security features to integrate with the WebSphere Application Server security infrastructure.- Start and stop secure eXtreme Scale servers
Servers often need to be secure for the deployment environment, which requires specific configuration for starting and stopping.