When WebSphere® eXtreme Scale is deployed in a WebSphere Application Server environment, you can simplify the authentication flow and transport
layer security configuration from WebSphere Application Server.
Simplified authentication flow
When eXtreme Scale clients
and servers are running in WebSphere Application Server and in the same security domain, you can use the WebSphere Application Server security
infrastructure to propagate the client authentication credentials
to the eXtreme Scale server. For example, if a servlet acts as an eXtreme Scale client
to connect to an eXtreme Scale server in the same security domain, and the servlet is already authenticated,
it is possible to propagate the authentication token from the client
(servlet) to the server, and then use the WebSphere Application Server security
infrastructure to convert the authentication token back to the client
credentials.
Figure 1. Authentication flow for servers within
the same security domain
In the previous diagram, the application servers are in the
same security domain. One application server hosts the web application,
which is also an
eXtreme Scale client. The other application server hosts the container server.
The deployment manager or node agent Java virtual machine (JVM) hosts
the catalog service.
Note: Use this type of configuration in development
environments. However, for production environments run the catalog
servers in separate processes, and if possible, run catalog servers
on a different system from where the container servers are running.
The arrows in the diagram indicate how the authentication
process flows:
- An enterprise application user uses a Web browser to log in to
the first application server with a user name and password.
- The first application server sends the client user name and password
to the WebSphere Application Server security
infrastructure to authenticate with the user registry. For example,
this user registry might be an LDAP server. As a result, the security
information is stored in the application server thread.
- The JavaServer Pages (JSP) file acts as an eXtreme Scale client to retrieve
the security information from the server thread. The JSP file calls
the WebSphere Application Server security
infrastructure to get the security tokens that represent the enterprise
application user.
- The eXtreme Scale client,
or JSP file, sends the security tokens with the request to the container
server and catalog service that is hosted in the other JVMs. The catalog
server and container server use the WebSphere Application Server security
tokens as an eXtreme Scale client
credential.
- The catalog and container servers send the security tokens to
the WebSphere Application Server security
infrastructure to convert the security tokens into user security information.
This user security information is represented by a Subject object, which contains the principals, public credentials, and private
credentials. This conversion can occur because the application servers
that are hosting the eXtreme Scale client, catalog server, and container server are sharing the
same WebSphere Application Server Lightweight
Third-Party Authentication (LTPA) tokens.
Authentication integration
Distributed
security integration with WebSphere Application Server:
For the distributed model, use the following
classes:
- com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenCredentialGenerator
- com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenAuthenticator
- com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenCredential
For examples on how to use these classes, see Tutorial: Integrate WebSphere eXtreme Scale security with WebSphere Application Server.
On the server side, use the
WSTokenAuthentication authenticator to authenticate the WSTokenCredential
object.
Local security integration with WebSphere Application Server:
For the local ObjectGrid model, use the following classes:
- com.ibm.websphere.objectgrid.security.plugins.builtins.WSSubjectSourceImpl
- com.ibm.websphere.objectgrid.security.plugins.builtins.WSSubjectValidationImpl
For more information about these classes, see Local security programming. You can configure the WSSubjectSourceImpl
class as the SubjectSource plug-in, and the WSSubjectValidationImpl
class as the SubjectValidation plug-in.
Transport layer security support in WebSphere Application Server
When an eXtreme Scale client,
container server, or catalog server is running in a WebSphere Application Server process, eXtreme Scale transport security
is managed by the WebSphere Application Server CSIV2 transport settings. For the eXtreme Scale client or container
server, you should not use eXtreme Scale client or server properties to configure the SSL settings.
All the SSL settings should be specified in the WebSphere Application Server configuration.
However, the catalog server is a little different. The catalog
server has its own proprietary transport paths which cannot be managed
by the WebSphere Application Server CSIV2
transport settings. Therefore, the SSL properties still need to be
configured in the server properties file for the catalog server. See Tutorial: Integrate WebSphere eXtreme Scale security with WebSphere Application Server for more information.