WebSphere eXtreme Scale Product Overview >
Security
WebSphere eXtreme Scale can secure data access, including allowing for integration with external security providers.
In an existing non-cached data store such as a database, you likely have built-in security features that you might not need to actively configure or enable. However, after you have cached the data with eXtreme Scale, consider the important resulting situation that the backend security features are no longer in effect. You can configureeXtreme Scale security on necessary levels so that the new cached architecture for the data is also secured. A brief summary of eXtreme Scale security features follows. For more detailed information about configuring security see the Administration Guide and the Program Guide.
Distributed security basics
Distributed eXtreme Scale security is based on three key concepts:
- Trustable authentication
- The ability to determine the identity of the requester. WebSphere eXtreme Scale supports both client-to-server and server-to-server authentication.
- Authorization
- The ability to give permissions to grant access rights to the requester. WebSphere eXtreme Scale supports different authorizations for various operations.
- Secure transport
- The safe transmission of data over a network. WebSphere eXtreme Scale supports the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocols.
Authentication
WebSphere eXtreme Scale supports a distributed client server framework. A client server security infrastructure is in place to secure access to eXtreme Scale servers. For example, when authentication is required by the eXtreme Scale server, an eXtreme Scale client must provide credentials to authenticate to the server. These credentials can be a user name and password pair, a client certificate, a Kerberos ticket, or data that is presented in a format that is agreed upon by client and server.
Authorization
WebSphere eXtreme Scale authorizations are based on subjects and permissions. You can use the Java™ Authentication and Authorization Services (JAAS) to authorize the access, or you can plug in a custom approach, such as Tivoli Access Manager (TAM), to handle the authorizations. The following authorizations can be given to a client or group:
- Map authorization
- Perform insert, read, update, evict, or delete operations on Maps.
- ObjectGrid authorization
- Perform object or entity queries and stream queries on ObjectGrid objects.
- DataGrid agent authorization
- Allow DataGrid agents to be deployed to an ObjectGrid.
- Server side map authorization
- Replicate a server map to client side or create a dynamic index to the server map.
- Administration authorization
- Perform administration tasks.
Transport security
To secure the client server communication, WebSphere eXtreme Scale supports TLS/SSL. These protocols provide transport layer security with authenticity, integrity, and confidentiality for a secure connection between an eXtreme Scale client and server.
Grid security
In a secure environment, a server must be able to check the authenticity of another server. WebSphere eXtreme Scale uses a shared secret key string mechanism for this purpose. This secret key mechanism is similar to a shared password. All the eXtreme Scale servers agree on a shared secret string. When a server joins the grid, the server is challenged to present the secret string. If the secret string of the joining server matches the one in the master server, then the joining server can join the grid. Otherwise, the join request is rejected.
Send a clear text secret is not secure. The eXtreme Scale security infrastructure provides a SecureTokenManager plug-in to allow the server to secure this secret before sending it. You can choose how you implement the secure operation. WebSphere eXtreme Scale provides an implementation, in which the secure operation is implemented to encrypt and sign the secret.
Java Management Extensions (JMX) security in a dynamic deployment topology
JMX MBean security is supported in all versions of eXtreme Scale. Clients of catalog server MBeans and container server MBeans can be authenticated, and access to MBean operations can be enforced.
Local eXtreme Scale security
Local eXtreme Scale security is different from the distributed eXtreme Scale model because the application directly instantiates and uses an ObjectGrid instance. Your application and eXtreme Scale instances are in the same Java virtual machine (JVM). Because no client-server concept exists in this model, authentication is not supported. Your applications must manage their own authentication, and then pass the authenticated Subject object to the eXtreme Scale. However, the authorization mechanism that is used for the local eXtreme Scale programming model is the same as what is used for the client-server model.
Configuration and programming
For more information about configuring and programming for security, see Secure the deployment environment and Security API.