Building on the previous step, the following topic shows
how to implement client authentication in a distributed eXtreme Scale environment.
Before you begin
Be sure that you have completed
Java SE security tutorial - Step 3. You need to have created and complied the
SecureSimpleApp.java sample into a
sec_sample.jar file, and created a configuration file called
security.xml.
About this task
With client authentication enabled, a client is authenticated
before connecting to the
eXtreme Scale server. This section demonstrates how client authentication
can be done in an
eXtreme Scale server environment, using the sample
SecureSimpleApp.java.
Client
credential
The SecureSimpleApp.java sample uses the following two plug-in implementations to obtain
client credentials:
com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredential
com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator
For more information about these plug-ins, see Client authentication programming.
Server authenticator
The example uses an eXtreme Scale built-in implementation: KeyStoreLoginAuthenticator, which is for testing and sample purposes (a keystore is a simple
user registry and should not be used for production). For more information,
see the topic on authenticator plug-in under Client authentication programming.
- In a command line window, go to the wxs_home directory.
- Change to the wxs_home/security directory you had created in Java SE security tutorial - Step 3.
- Create a JAAS configuration file that enforces a method
of authentication to the server, og_jaas.config. The KeyStoreLoginAuthenticator referenced
in the security.xml file uses a keystore by using
the JAAS login module "KeyStoreLogin". The keystore can be configured
as an option to the KeyStoreLoginModule class.
og_jaas.config
KeyStoreLogin{
com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule required
keyStoreFile="../security/sampleKS.jks" debug = true;
};
- Change to the java_home/bin directory and run the keytool.
- Change to the wxs_home /security directory, and create two users, "manager" and "cashier" with their
own passwords.
- Use the keytool to create a user "manager" with password "manager1"
in the keystore sampleKS.jks.
![[Unix]](./icons/ngunix.gif)
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 \
-alias manager -keypass manager1 \
-dname CN=manager,O=acme,OU=OGSample -validity 10000
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 ^
-alias manager -keypass manager1 ^
-dname CN=manager,O=acme,OU=OGSample -validity 10000
- Use the keytool to create a user "cashier" with password "cashier1"
in the keystore sampleKS.jks.
![[Unix]](./icons/ngunix.gif)
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 \
-alias cashier -keypass cashier1 \
-dname CN=cashier,O=acme,OU=OGSample -validity 10000
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 ^
-alias cashier -keypass cashier1 ^
-dname CN=cashier,O=acme,OU=OGSample -validity 10000
- Make a copy of the sampleClient.properties file located in wxs_home/properties directory to wxs_home/security/client.properties
- In the wxs_home/security directory, save it as client.properties
Make the following changes
to the
client.properties file:
- securityEnabled: Set securityEnabled to true (default value) enables the client security, which includes
authentication.
- credentialAuthentication: Set credentialAuthentication to Supported (default value), which means the client supports credential
authentication.
- transportType: Set transportType to
TCP/IP, which means no SSL will be used.
- Copy the sampleServer.properties file
into the wxs_home/security directory and save it as server.properties.
Make the following changes in the
server.properties file:
- securityEnabled: Set the securityEnabled attribute to true.
- transportType: Set transportType attribute
to TCP/IP, which means no SSL is used.
- secureTokenManagerType: Set secureTokenManagerType attribute to none to not configure the secure token manager.
- Go to the wxs_home/bin directory and depending on your
platform, issue one of the following commands to start a catalog server. You need to issue the-clusterFile and -serverProps command line options to pass in security properties:
![[Unix]](./icons/ngunix.gif)
./startOgServer.sh catalogServer -clusterSecurityFile ../security/security.xml
-serverProps ../security/server.properties -jvmArgs
-Djava.security.auth.login.config="../security/og_jaas.config"
startOgServer.bat catalogServer -clusterSecurityFile ..\security\security.xml
-serverProps ..\security\server.properties -jvmArgs
-Djava.security.auth.login.config="..\security\og_jaas.config"
- Start a container server named c0 with
one of the following scripts. The server property file is passed by
issuing -serverProps.
![[Unix]](./icons/ngunix.gif)
./startOgServer.sh c0 -objectgridFile ../xml/SimpleApp.xml
-deploymentPolicyFile ../xml/SimpleDP.xml
-catalogServiceEndPoints localhost:2809
-serverProps ../security/server.properties
-jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
startOgServer.bat c0 -objectgridFile ..\xml\SimpleApp.xml
-deploymentPolicyFile ..\xml\SimpleDP.xml
-catalogServiceEndPoints localhost:2809
-serverProps ..\security\server.properties
-jvmArgs -Djava.security.auth.login.config="..\security\og_jaas.config"
- After the catalog server and container server have been
started, run the sec_sample.jar sample as follows:
![[Unix]](./icons/ngunix.gif)
java -classpath ../lib/objectgrid.jar:../applib/sec_sample.jar
com.ibm.websphere.objectgrid.security.sample.guide.SecureSimpleApp
../security/client.properties manager manager1
java -classpath ..\lib\objectgrid.jar;..\applib\sec_sample.jar
com.ibm.websphere.objectgrid.security.sample.guide.SecureSimpleApp
..\security\client.properties manager manager1
Use a colon (:) for the classpath separator
instead of a semicolon (;) as in the previous example.
After you issue the class, the following output results:
The customer name for ID 0001 is fName lName.
- Verify the size of the "customer" map inserted into the
"accounting" grid, by issuing the xscmd command
utility as follows:
![[Unix]](./icons/ngunix.gif)
./xscmd.sh -c showMapSizes -g accounting
-m customer -username manager -password manager1
xscmd.bat -c showMapSizes -g accounting
-m customer -username manager -password manager1
- Optional: To stop the container or catalog servers, you
can use the stopOgServer or stopXsServer command. However you need to provide a security configuration file.
The sample client property file defines the following two properties
to generate a userID/password credential (manager/manager1).
credentialGeneratorClass=com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator
credentialGeneratorProps=manager manager1
Stop the container c0 with the following command.
![[Unix]](./icons/ngunix.gif)
./stopOgServer.sh c0 -catalogServiceEndPoints
localhost:2809 -clientSecurityFile ../security/client.properties
stopOgServer.bat c0 -catalogServiceEndPoints
localhost:2809 -clientSecurityFile ..\security\client.properties
If you do not provide the -clientSecurityFile option, you will see an exception with the following message.
>> SERVER (id=39132c79, host=9.10.86.47) TRACE START:
>> org.omg.CORBA.NO_PERMISSION: Server requires credential
authentication but there is no security context from the client. This
usually happens when the client does not pass a credential the server.
vmcid: 0x0
minor code: 0
completed: No
You can also shut down
the catalog server using the following command. However, if you want
to continue trying the next step tutorial, you can let the catalog
server stay running.
![[Unix]](./icons/ngunix.gif)
./stopOgServer.sh catalogServer
-catalogServiceEndPoints localhost:2809 -clientSecurityFile ../security/client.properties
stopOgServer.bat catalogServer -catalogServiceEndPoints
localhost:2809 -clientSecurityFile ..\security\client.properties
If you do shutdown the catalog server, you will see the
following output.
CWOBJ2512I: ObjectGrid server catalogServer
stopped
Now, you have successfully made your system
partially secure by enabling authentication. You configured the server
to plug in the user registry, configured the client to provide client
credentials, and changed the client property file and cluster XML
file to enable authentication.
If you provide an invalidate
password, you see an exception stating that the user name or password
is not correct.
For more details about client authentication,
see Authenticating application clients.
Next step of tutorial