About this task
In this task, you use LDAP as an authentication mechanism
that provides access to the data grid, according to the permissions
that you set in the JAAS authorization policy configuration file.
- Create a wxs_ldap.config file; for
example:
LDAPLogin {
com.ibm.websphere.objectgrid.security.plugins.builtins.SimpleLDAPLoginModule required
providerURL=”ldap://yourldapserver.yourcompany.com:389/”
factoryClass=”com.sun.jndi.ldap.LdapCtxFactory”
};
- Create a wxs_ldap.auth.config file. Replace the principal with the user that logs in to the data
grid. Also replace YourGridName with the name of
your data grid. Repeat this step as necessary for additional users
and data grids. See the following example:
grant codebase “http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction”
principal javax.security.auth.x500.X500Principal “CN=manager,O=acme,OU=sample” {
permission com.ibm.websphere.objectgrid.security.MapPermission “*.*”, “all”;
permission com.ibm.websphere.objectgrid.security.ObjectGridPermission “*”, “all”;
};
Alternatively, you can grant permission to all data grids;
for example:grant codebase “http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction”
principal javax.security.auth.x500.X500Principal “CN=manager,O=acme,OU=sample” {
permission com.ibm.websphere.objectgrid.security.MapPermission “*.*”, “all”;
permission com.ibm.websphere.objectgrid.security.ObjectGridPermission “*”, “all”;
};
- Create a server-side security.xml file;
for example:
<?xml version=”1.0” encoding=”UTF-8”?>
<securityConfig xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd”
xmlns=”http://ibm.com/ws/objectgrid/config/security”>
<security securityEnabled=”true” loginSessionExpirationTime=”300” >
<authenticator className=
”com.ibm.websphere.objectgrid.security.plugins.builtins.LDAPAuthenticator”>
</authenticator>
</security>
</securityConfig>
- Edit your objectGridServer.properties file
with the following properties. If you do not have an objectGridServer.properties file,
you can use the sampleServer.properties file
that is in the wxs_home/properties directory
to create your properties file.
securityEnabled=true
credentialAuthentication=Required
- Start your catalog servers. To start your catalog
servers in WebSphere Application Server open the WebSphere Application Server administrative console,
and click

Deprecated: The
startOgServer and
stopOgServer commands start servers that use the Object Request Broker (ORB)
transport mechanism. The ORB is deprecated, but you can continue using
these scripts if you were using the ORB in a previous release. The
IBM eXtremeIO (XIO) transport mechanism replaces the ORB. Use the
startXsServer and
stopXsServer scripts
to start and stop servers that use the XIO transport.
-Dobjectgrid.cluster.security.xml.url=file:///security/security.xml
-Dobjectgrid.server.props="/security/objectGridServer.properties"
-Djava.security.policy="/security/wxs_ldap_auth.config"
-Djava.security.auth.login.config=”/security/wxs_ldap.config"
- Start your container servers.
-Dobjectgrid.server.props="/security/objectGridServer.properties"
-Djava.security.policy="/security/wxs_ldap_auth.config"
-Djava.security.auth.login.config=”/security/wxs_ldap.config"
- In the administrative console, click .
- Click New to add an entry with
the alias, LDAPLogin, and click Apply.
- Under JAAS login modules, click New. Enter com.ibm.websphere.objectgrid.security.plugins.builtins.LDAPLoginModule and Sufficient as
the Authentication strategy.
- Under custom properties, enter the provider URL ldap://yourldapserver.yourcompany.com:389/ and
for factory class, enter com.sun.jndi.ldap.LdapCtxFactory.
- Click OK and Save.
- Edit your client-side objectGridClient.properties file. If WebSphere Application Server is the client,
then the file that you update is was_profile_dir/properties.
securityEnabled=true
credentialAuthentication=Supported
- Configure your client to pass the required LDAP login credentials. Load a client properties file. This file can contain the user
ID and password. If the properties file does not include the user
ID and password, add them to the configuration in the client program.
In the following example, a client properties file is loaded using
a program parameter. Then, the user ID and password are added to the
configuration.
String userid = “CN=manager,O=acme,OU=sample”;
String pw=”password”;
//Creates a ClientSecurityConfiguration object using the specified file
ClientSecurityConfiguration clientSC = ClientSecurityConfigurationFactory
.getClientSecurityConfiguration(args[0]);
//Creates a CredentialGenerator using the user and password.
CredentialGenerator credGen = new UserPasswordCredentialGenerator(userid,password);
clientSC.setCredentialGenerator(credGen);
// Create an ObjectGrid by connecting to the catalog server
ClientClusterContext ccContext = ogManager.connect(“cataloghostname:2809”, clientSC, null);
ObjectGrid og = ogManager.getObjectGrid(ccContext, “YourGridName”);’
What to do next
LDAP authentication over SSL is also supported. The
wxs_ldap.config file
for this configuration might resemble the following example:
LDAPLogin {
com.ibm.websphere.objectgrid.security.plugins.builtins.LDAPLoginModule required
providerURL=”ldaps://yourldapserver.yourcompany.com:636/”
factoryClass=”com.sun.jndi.ldap.LdapCtxFactory”
};
LDAP over SSL requires that the truststore that is
used by WebSphere eXtreme Scale catalog
and container servers be configured to trust the certificates that
are used by the LDAP servers. For example, if the certificates that
the LDAP servers are issued by a local certificate authority, then
you must add the signer certificate for that certificate authority
to the truststore that is used by each eXtreme Scale process. This concept
is true whether eXtreme Scale is
running in a stand-alone environment or with WebSphere Application Server.