9 Securing Oracle Coherence HTTP Management Over REST Server
This chapter includes the following sections:
- About Securing Oracle Coherence HTTP Management Server
Coherence HTTP Management Server authentication and authorization are disabled by default and are enabled as required. - Basic Authentication for Coherence HTTP Management Server HTTP Acceptor
You can configure an HTTP acceptor to provide authentication for Coherence HTTP Management Server. - Using SSL Authentication With Oracle Coherence HTTP Management Server
You can use SSL to provide authentication for Coherence HTTP Management Server. SSL provides an authentication mechanism that relies on digital certificates and encryption keys to establish both identity and trust.
About Securing Oracle Coherence HTTP Management Server
Coherence HTTP Management Server authentication support includes: HTTP basic, client-side SSL certificate, and client-side SSL certificate together with HTTP basic.
See Accessing Management Information Using REST in Managing Oracle Coherence.
Basic Authentication for Coherence HTTP Management Server HTTP Acceptor
HTTP basic authentication provides authentication using credentials (user name and password) that are encoded and sent in the HTTP authorization request header.
This section includes the following topics:
Specify the Basic Authentication for Coherence HTTP Management Server HTTP Acceptor
The default management-http-config.xml is in
coherence-management.jar.
To specify basic authentication for an HTTP Management Acceptor, set the
coherence.management.http.auth system property to the
value basic or override the default
management-http-config.xml and specify
<auth-method> child xml element to the value
basic.
Specify a Coherence HTTP Management Server Login Module
HTTP basic authentication requires a JAAS
javax.security.auth.spi.LoginModule implementation that
authenticates client credentials which are passed from the HTTP basic authentication
header. The resulting Subject can then be used for Oracle Coherence
Security Framework authorization as required. See LoginModule in Java Authentication and
Authorization Service (JAAS) Reference Guide.
To specify a login module, modify the
COHERENCE_HOME/lib/security/login.config login
configuration file and include a Coherence entry that includes the login module
implementation to use. For example:
CoherenceManagement {
package.MyLoginModule required;
};
At runtime, specify the login.config file to use either from the command line (using the java.security.auth.login.config system property) or in the Java security properties file.
As a convenience, a Java keystore (JKS) LoginModule implementation
which depends only on standard Java run-time classes is provided. The class is located
in the
COHERENCE_HOME/lib/security/coherence-login.jar
file. To use the implementation, place this library either in the proxy server classpath
or in the JRE's lib/ext (standard extension) directory.
Specify the JKS login module implementation in the login.config configuration file as follows:
CoherenceManagement {
com.tangosol.security.KeystoreLogin required
keyStorePath="${user.dir}${/}security${/}keystore.jks";
};
The entry contains a path to a keystore. Change the keyStorePath
variable to the location of a keystore. See Generating Java SSL Artifacts.
Using SSL Authentication With Oracle Coherence HTTP Management Server
Client-side SSL certificates are passed to the HTTP acceptor to authenticate the client. SSL requires an SSL-based socket provider to be configured for the HTTP acceptor.
This section includes the following topics:
Configure a Coherence HTTP Management Acceptor SSL Socket Provider
Configure an SSL socket provider for an HTTP acceptor when using SSL for authentication. To configure SSL for an HTTP acceptor, explicitly add an SSL socket provider definition or reference an SSL socket provider definition that is in the operational override file.
Explicitly Defining an SSL Socket Provider
To explicitly configure an SSL socket provider for an HTTP acceptor, add a
<socket-provider> element within the
<http-acceptor> element of each
<proxy-scheme> definition. See socket-provider in Developing Applications with Oracle Coherence. You can override the default
management-http-config.xml by making a copy of it and placing the
revised management-http-config.xml in classpath before
coherence-management.jar occurs.
Example 10-1 demonstrates configuring an SSL socket provider that
uses the default values for the <protocol> and
<algorithm> element (TLS and
SunX509, respectively). These are shown for completeness but may be
left out when using the default values.
Example 10-1 configures both an identity keystore
(server.jks) and a trust keystore (trust.jks). This
is typical of two-way SSL authentication, in which both the client and proxy must
exchange digital certificates and confirm each other's identity. For one-way SSL
authentication, the proxy server configuration must include an identity keystore but
need not include a trust keystore.
Example 9-1 Sample HTTP Acceptor SSL Configuration
<proxy-scheme>
<service-name>ManagementHttpProxyService</service-name>
<acceptor-config>
<http-acceptor>
...
<socket-provider>
<ssl>
<protocol>TLS</protocol>
<identity-manager>
<algorithm>SunX509</algorithm>
<provider system-property="coherence.management.http.security.keystore.provider"/>
<key-store>
<url system-property="coherence.management.http.security.keystore">file:server.jks</url>
<password system-property="coherence.management.http.security.keystore.password"/>
<type>JKS</type>
</key-store>
<password system-property="coherence.management.http.security.identitymanager.password”/>
</identity-manager>
<trust-manager>
<algorithm/>SunX509</algorithm>
<provider system-property="coherence.management.http.security.truststore.provider"/>
<key-store>
<url system-property="coherence.management.http.security.truststore">file:truststore.jks</url>
<password system-property="coherence.management.http.security.truststore.password"/>
<type>JKS</type>
</key-store>
</trust-manager>
</ssl>
</socket-provider>
...
<auth-method>cert</auth-method>
</http-acceptor>
</acceptor-config>
<autostart>true</autostart>
</proxy-scheme>
Referencing an SSL Socket Provider Definition Using Coherence HTTP Management Over REST
The following example references an SSL socket provider configuration that
is defined in the <socket-providers> element of the operational
deployment descriptor by specifying the id attribute
(ssl) of the configuration. See socket-providers in Developing Applications with Oracle Coherence.
Note:
A predefined SSL socket provider is included in the operational
deployment descriptor and is named ssl. The predefined SSL socket
provider is configured for two-way SSL connections and is based on peer trust, in
which every trusted peer resides within a single JKS keystore. See Using the Predefined SSL Socket Provider. To configure a different SSL socket provider, use an operational
override file to modify the predefined SSL socket provider or to create a socket
provider configuration as required.
<proxy-scheme>
<service-name>ManagementHttpProxy</service-name>
<acceptor-config>
<http-acceptor>
...
<socket-provider>ssl</socket-provider>
...
<auth-method>cert</auth-method>
</http-acceptor>
</acceptor-config>
<autostart>true</autostart>
</proxy-scheme>
For configuring HTTP client access, see Access Secured REST Services.