Use an ObjectGrid security descriptor XML file to configure
an eXtreme Scale deployment
topology with security enabled. The following sample XML files describe
several configurations.
Each element and attribute of the cluster XML file is described
in the following list. Use the examples to learn how to use these
elements and attributes to configure the environment.
securityConfig element
The securityConfig element
is the top-level element of the ObjectGrid security XML file. This
element sets up the namespace of the file and the schema location.
The schema is defined in the
objectGridSecurity.xsd file.
- Number of occurrences: One
- Child elements: security
security element
Use the security element to
define an ObjectGrid security.
- Number of occurrences: One
- Child elements: authenticator, adminAuthorization, and systemCredentialGenerator
Attributes- securityEnabled
- Enables security for the grid when set to true. The default value
is false. If the value is set to false, grid-wide security is disabled.
For more information, see Grid security.
(Optional)
- singleSignOnEnabled
- Allows a client to connect to any server after it has authenticated
with one of the servers if the value is set to true. Otherwise, a
client must authenticate with each server before the client can connect.
The default value is false. (Optional)
- loginSessionExpirationTime
- Specifies the amount of time in seconds before the login session
expires. If the login session expires, the client must authenticate
again. (Optional)
- adminAuthorizationEnabled
- Enables administrative authorization. If the value is set to true,
all of the administrative tasks need authorization. The authorization
mechanism that is used is specified by the value of the adminAuthorizationMechanism
attribute. The default value is false. (Optional)
- adminAuthorizationMechanism
- Indicates which authorization mechanism to use. WebSphere eXtreme Scale supports two
authorization mechanisms, Java™ Authentication
and Authorization Service (JAAS) and custom authorization. The JAAS
authorization mechanism uses the standard JAAS policy-based approach.
To specify JAAS as the authorization mechanism, set the value to AUTHORIZATION_MECHANISM_JAAS.
The custom authorization mechanism uses a user-plugged-in AdminAuthorization
implementation. To specify a custom authorization mechanism, set the
value to AUTHORIZATION_MECHANISM_CUSTOM. For more information on how
these two mechanisms are used, see Application client authorization. (Optional)
The following security.xml file
is a sample configuration to enable the eXtreme Scale grid security.
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd"
xmlns="http://ibm.com/ws/objectgrid/config/security">
<security securityEnabled="true" singleSignOnEnabled="true"
loginSessionExpirationTime="20"
adminAuthorizationEnabled="true"
adminAuthorizationMechanism="AUTHORIZATION_MECHANISM_JAAS" >
<authenticator className ="com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenAuthenticator">
</authenticator>
<systemCredentialGenerator className ="com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenCredentialGenerator">
<property name="properties" type="java.lang.String" value="runAs" description="Using runAs subject" />
</systemCredentialGenerator>
</security>
</securityConfig>
authenticator element
Authenticates clients
to eXtreme Scale servers in the grid. The class that is specified
by the className attribute must implement the com.ibm.websphere.objectgrid.security.plugins.Authenticator
interface. The authenticator can use properties to call methods on
the class that is specified by the className attribute. See property
element for more information on using properties.
In the previous security.xml file
example, the com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenAuthenticator
class is specified as the authenticator. This class implements the
com.ibm.websphere.objectgrid.security.plugins.Authenticator interface.
- Number of occurrences: zero or one
- Child element: property
Attributes- className
- Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.Authenticator
interface. Use this class to authenticate clients to the servers in
the eXtreme Scale grid.
(Required)
adminAuthorization element
Use the adminAuthorization
element to set up administrative access to the grid.
- Number of occurrences: zero or one
- Child element: property
Attributes- className
- Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.AdminAuthorization
interface. (Required)
systemCredentialGenerator element
Use a systemCredentialGenerator
element to set up a system credential generator. This element only
applies to a dynamic environment. In the dynamic configuration model,
the dynamic container server connects to the catalog server as an
eXtreme Scale client
and the catalog server can connect to the eXtreme Scale container
server as a client too. This system credential generator is used to
represent a factory for the system credential.
- Number of occurrences: zero or one
- Child element: property
Attributes- className
- Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.CredentialGenerator
interface. (Required)
See the previous security.xml file
for an example of how to use a systemCredentialGenerator. In this
example, the system credential generator is a com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenCredentialGenerator,
which retrieves the RunAs Subject object from the thread.
property element
Calls
set methods
on the authenticator and adminAuthorization classes. The name of the
property corresponds to a set method on the className attribute of
the authenticator or adminAuthorization element.
- Number of occurrences: zero or more
- Child element: property
Attributes- name
- Specifies the name of the property. The value that is assigned
to this attribute must correspond to a set method on the class that
is provided as the className attribute on the containing bean. For
example, if the className attribute of the bean is set to com.ibm.MyPlugin,
and the name of the property that is provided is size, then the com.ibm.MyPlugin
class must have a setSize method. (Required)
- type
- Specifies the type of the property. The type of the parameter
is passed to the set method that is identified by the name attribute.
The valid values are the Java primitives,
their java.lang counterparts, and java.lang.String. The name and type
attributes must correspond to a method signature on the className
attribute of the bean. For example, if the name is size and the type
is int, then a setSize(int) method must exist on the class that is
specified as the className attribute for the bean. (Required)
- value
- Specifies the value of the property. This value is converted to
the type that is specified by the type attribute, and is then used
as a parameter in the call to the set method that is identified by
the name and type attributes. The value of this attribute is not validated
in any way. The plug-in implementor must verify that the value passed
in is valid. (Required)
- description
- Provides a description of the property. (Optional)
See objectGridSecurity.xsd file for more information.