<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xml:lang="en-us"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="security" content="public" /> <meta name="Robots" content="index,follow" /> <meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' /> <meta name="DC.Type" content="task" /> <meta name="DC.Title" content="Configure platform security" /> <meta name="abstract" content="Before you begin, ensure that you have configured your Kerberos key distribution center (KDC)." /> <meta name="description" content="Before you begin, ensure that you have configured your Kerberos key distribution center (KDC)." /> <meta name="DC.Relation" scheme="URI" content="rzahxagentsecure.htm" /> <meta name="DC.Relation" scheme="URI" content="rzahxagentkerberos.htm" /> <meta name="DC.Relation" scheme="URI" content="rzahxagentkerberos.htm" /> <meta name="DC.Relation" scheme="URI" content="rzahxagentstartplatform.htm" /> <meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" /> <meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" /> <meta name="DC.Format" content="XHTML" /> <meta name="DC.Identifier" content="rzahxagentsecurepref" /> <meta name="DC.Language" content="en-us" /> <!-- All rights reserved. Licensed Materials Property of IBM --> <!-- US Government Users Restricted Rights --> <!-- Use, duplication or disclosure restricted by --> <!-- GSA ADP Schedule Contract with IBM Corp. --> <link rel="stylesheet" type="text/css" href="./ibmdita.css" /> <link rel="stylesheet" type="text/css" href="./ic.css" /> <title>Configure platform security</title> </head> <body id="rzahxagentsecurepref"><a name="rzahxagentsecurepref"><!-- --></a> <!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script> <h1 class="topictitle1">Configure platform security</h1> <div><p>Before you begin, ensure that you have configured your Kerberos key distribution center (KDC).</p> <div class="section">When security is turned on, <span class="uicontrol">ableplatform.preferences</span> acts as a policy file for the security of the platform it defines. The following steps provide examples for how principals, trust levels, and permissions could be configured:</div> <ol><li class="stepexpand"><span><strong>Define User and Service principals</strong></span> <div class="p">After you acquire user and service principals, and register them with your KDC, you need to add these principals to <span class="uicontrol">ableplatform.preferences</span> . When security is turned on, a user must be defined with a valid Kerberos user principal to gain access to the platform, and all agent services and agent pools must have a valid Kerberos service principal assigned to them. Add the user or service principals you have registered with your KDC, and specify an alias for each principal (the alias can be any unique name you want to use): <div class="note"><span class="notetitle">Note:</span> By using the code examples, you agree to the terms of the <a href="codedisclaimer.htm">Code license and disclaimer information</a>.</div> </div> <pre>#---------------------------------------------------------------------- # Principals #---------------------------------------------------------------------- Principal.1.Alias = servicePrincipal1 Principal.1.Principal = name1/systemName@REALM Principal.2.Alias = servicePrincipal2 Principal.2.Principal = name2/systemName@REALM Principal.3.Alias = userPrincipal1 Principal.3.Principal = name1@REALM Principal.4.Alias = userPrincipal2 Principal.4.Principal = name2@REALM</pre> </li> <li class="stepexpand"><span><strong>Define trust levels</strong></span> <p>After you add user and service principals, you need to define the trust level associated with each principal. A trust level is associated with a principal to help define the capabilities of a user or service on the platform. Associating a trust level with a principal is also a way to group principals. The same trust level can be associate with multiple user and service principals. Add the principal alias you assigned to your service and user principals in step 1, (comma delineated), to the trust level you want to associate it with, and provide a unique name for trust level alias:</p> <pre>#---------------------------------------------------------------------- # Trust Levels #---------------------------------------------------------------------- TrustLevel.1.Alias = HighlyTrusted TrustLevel.1.Principals = servicePrincipal1,userPrincipal1 TrustLevel.2.Alias = SomewhatTrusted TrustLevel.2.Principals = servicePrincipal2,userPrincipal2</pre> </li> <li class="stepexpand"><span><strong>Associate service principals with Agent Pools</strong></span> <p>A distributed platform can span multiple ports on multiple systems. Each agent pool defines where one part (JVM) or the platform will run. Each agent pool entry contains an alias, an IP Address, a port, and a service principal alias. The principal alias specifies what service principal this pool will be associated with. Add the service principal alias you defined above that you want to associate with your agent pool:</p> <pre>#---------------------------------------------------------------------- # Agent Pools (Java Virtual Machines) #---------------------------------------------------------------------- AgentPool.1.Alias = Pool1 AgentPool.1.IpAddress = systemname.ibm.com AgentPool.1.Port = 55551 <strong>AgentPool.1.Principal = servicePrincipal1</strong> AgentPool.2.Alias = Pool2 AgentPool.2.IpAddress = systemname.ibm.com AgentPool.2.Port = 55552 <strong>AgentPool.2.Principal = servicePrincipal1</strong> AgentPool.3.Alias = Pool3 AgentPool.3.IpAddress = systemname.ibm.com AgentPool.3.Port = 55553 <strong>AgentPool.3.Principal = servicePrincipal2</strong></pre> </li> <li class="stepexpand"><span><strong>Define agent start-up authority</strong></span> <p>Define which users have the capability to start each of the agents defined on your secure platform. Add one or more user principal aliases to the EligiblePrincipal parameter:</p> <pre>#---------------------------------------------------------------------- # Permitted Agents #---------------------------------------------------------------------- Agent.1.Alias=Agent1 Agent.1.AutonomyLevel=Medium Agent.1.ClassName=com.ibm.able.platform.examples.EServerTemplateAgent Agent.1.ConstructorArgs=String:AgentName1 <span class="uicontrol">Agent.1.EligiblePrincipals=userPrincipal1,userPrincipal2</span> Agent.1.EligibleAgentPools=Pool2,Pool3 Agent.1.InitArgs= Agent.1.LastChangedDate=January 11, 2003 11:11am Agent.1.Type=Tester1 Agent.1.Vendor=IBM1 Agent.1.Version=1.1</pre> </li> <li class="stepexpand"><span><strong>Define the algorithm and provider</strong></span> <p>You need to define the algorithm and provider of the KeyPairs the platform will use. By default, the preferences file will contain the following setting:</p> <pre>#---------------------------------------------------------------------- # Cryptography parameters #---------------------------------------------------------------------- CryptographyAlgorithm = DSA CryptographyProvider = IBMJCE</pre> </li> </ol> <div class="section"><p>After you add the necessary security data to <span class="uicontrol">ableplatform.preferences</span>, save your changes. Turning on security for the platform once it is correctly configured is as simple as opening <span class="uicontrol">able.preferences</span> that defines your platform, and changing the Security property to <span class="uicontrol">Security=on</span>. If you are running an unsecured platform, you will need to end and restart the agent platform for security changes to take effect.</p> </div> </div> <div> <div class="familylinks"> <div class="parentlink"><strong>Parent topic:</strong> <a href="rzahxagentsecure.htm" title="It is strongly recommended that you use Kerberos user and service principals to authenticate users, agent pools, and agent services to one another on or across a secure platform or distributed platform.">Secure your agent environment</a></div> </div> <div class="relconcepts"><strong>Related concepts</strong><br /> <div><a href="rzahxagentstartplatform.htm" title="After you define the agent platform and optionally secure your platform, you will need to start all the Java Virtual Machines associated with your agent services using iSeries CL commands.">Start the agent platform</a></div> </div> <div class="reltasks"><strong>Related tasks</strong><br /> <div><a href="rzahxagentkerberos.htm" title="The intelligent agent platform uses Kerberos principals to authenticate users and services throughout the agent platform. Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an insecure network.">Configure your platform to use Kerberos</a></div> </div> </div> </body> </html>