Tuesday, August 16, 2011

Node Manager Security

I was asked a good question by a customer recently. The question was how can you secure Node Manager communication and how do clients authenticate themselves with the node manager. I didn’t know much about node manager security but after doing some research I thought it would be helpful to share the answers.

Secure Communication with Node Manager

Node Manager and its clients use a custom communication protocol to communicate. However, this protocol can be SSL enabled for secure communication.

The settings that control this are located in the nodemanager.properties file but can also be passed in on the command line when you start Node Manager, in which case the command line values override what is in the properties file.

To enable SSL for Node Manager Communication, you set SecureListener to ‘true’ (which is the default).

By default, Node Manager uses the WLS demonstration Identity (DemoIdentity.jks) and Trust (DemoTrust.jks) keystores located in WL_HOME/server/lib.

You can change this by modifying the KeyStores property which takes 3 values:

DemoIdentityAndDemoTrust
Use the demonstration Identity and Trust keystores located in the BEA_HOME\server\lib directory that are configured by default. The demonstration Trust keystore trusts all the certificate authorities in the Java Standard Trust keystore (JAVA_HOME\jre\lib \security\cacerts)

CustomIdentityAndJavaStandardTrust
Uses a keystore you create, and the trusted CAs defined in the cacerts file in the JAVA_HOME\jre\lib\security\cacerts directory.

CustomIdentityAndCustomTrust
Uses Identity and Trust keystores you create.

With each of these KeyStore modes there are other associated properties you will have to set to configure NodeManager for SSL.
 
These properties are: CustomIdentityAlias, CustomIdentityKeyStoreFileName, CustomIdentityKeyStorePassPhrase, CustomIdentityKeyStoreType, CustomIdentityPrivateKeyPassPhrase, and JavaStandardTrustKeyStorePassPhrase.
 
You can kind of figure out from the names which settings are needed for which KeyStores stores but you can also read more about these settings here.

Node Manager and Authentication

There are actually two separate authentications that occur during the utilization of Node Manager. . First, it will compare the incoming NodeManager credentials against an encrypted file that has been established during nmEnroll or pack/unpack of the domain. This username and password is specific to an entire domain and is only used for communicating with the NodeManager. It does not have anything to do with managed servers. For more information about setting or changing these credentials, see here.

The second way NodeManager make use of a username and password is for the managed server that the NodeManager starts and monitors. This is usually supplied to the NodeManager either from the config.xml file or from an individual making a client call to the NodeManager. The NodeManager will then encrypt this value and write it to disk so that the managed server can use those credentials for startup. For more information see the documentation here.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.