<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure platform security" />
<meta name="abstract" content="Before you begin, ensure that you have configured your Kerberos key distribution center (KDC)." />
<meta name="description" content="Before you begin, ensure that you have configured your Kerberos key distribution center (KDC)." />
<meta name="DC.Relation" scheme="URI" content="rzahxagentsecure.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahxagentkerberos.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahxagentkerberos.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahxagentstartplatform.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahxagentsecurepref" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure platform security</title>
</head>
<body id="rzahxagentsecurepref"><a name="rzahxagentsecurepref"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure platform security</h1>
<div><p>Before you begin, ensure that you have configured your Kerberos
key distribution center (KDC).</p>
<div class="section">When security is turned on, <span class="uicontrol">ableplatform.preferences</span> acts
as a policy file for the security of the platform it defines. The following
steps provide examples for how principals, trust levels, and permissions could
be configured:</div>
<ol><li class="stepexpand"><span><strong>Define User and Service principals</strong></span> <div class="p">After you
acquire user and service principals, and register them with your KDC, you
need to add these principals to <span class="uicontrol">ableplatform.preferences</span> .
When security is turned on, a user must be defined with a valid Kerberos user
principal to gain access to the platform, and all agent services and agent
pools must have a valid Kerberos service principal assigned to them. Add the
user or service principals you have registered with your KDC, and specify
an alias for each principal (the alias can be any unique name you want to
use): <div class="note"><span class="notetitle">Note:</span> By using the code examples, you agree to the terms of the <a href="codedisclaimer.htm">Code license and disclaimer information</a>.</div>
</div>
<pre>#----------------------------------------------------------------------
# Principals
#----------------------------------------------------------------------
Principal.1.Alias     = servicePrincipal1
Principal.1.Principal = name1/systemName@REALM

Principal.2.Alias     = servicePrincipal2
Principal.2.Principal = name2/systemName@REALM

Principal.3.Alias     = userPrincipal1
Principal.3.Principal = name1@REALM

Principal.4.Alias     = userPrincipal2
Principal.4.Principal = name2@REALM</pre>
</li>
<li class="stepexpand"><span><strong>Define trust levels</strong></span> <p>After you add user and
service principals, you need to define the trust level associated with each
principal. A trust level is associated with a principal to help define the
capabilities of a user or service on the platform. Associating a trust level
with a principal is also a way to group principals. The same trust level can
be associate with multiple user and service principals. Add the principal
alias you assigned to your service and user principals in step 1, (comma delineated),
to the trust level you want to associate it with, and provide a unique name
for trust level alias:</p>
<pre>#----------------------------------------------------------------------
# Trust Levels
#----------------------------------------------------------------------
TrustLevel.1.Alias      = HighlyTrusted
TrustLevel.1.Principals = servicePrincipal1,userPrincipal1

TrustLevel.2.Alias      = SomewhatTrusted
TrustLevel.2.Principals = servicePrincipal2,userPrincipal2</pre>
</li>
<li class="stepexpand"><span><strong>Associate service principals with Agent Pools</strong></span> <p>A
distributed platform can span multiple ports on multiple systems. Each agent
pool defines where one part (JVM) or the platform will run. Each agent pool
entry contains an alias, an IP Address, a port, and a service principal alias.
The principal alias specifies what service principal this pool will be associated
with. Add the service principal alias you defined above that you want to associate
with your agent pool:</p>
<pre>#----------------------------------------------------------------------
# Agent Pools (Java Virtual Machines)
#----------------------------------------------------------------------
AgentPool.1.Alias     = Pool1
AgentPool.1.IpAddress = systemname.ibm.com
AgentPool.1.Port      = 55551
<strong>AgentPool.1.Principal = servicePrincipal1</strong>

AgentPool.2.Alias     = Pool2
AgentPool.2.IpAddress = systemname.ibm.com
AgentPool.2.Port      = 55552
<strong>AgentPool.2.Principal = servicePrincipal1</strong>

AgentPool.3.Alias     = Pool3
AgentPool.3.IpAddress = systemname.ibm.com
AgentPool.3.Port      = 55553
<strong>AgentPool.3.Principal = servicePrincipal2</strong></pre>
</li>
<li class="stepexpand"><span><strong>Define agent start-up authority</strong></span> <p>Define which
users have the capability to start each of the agents defined on your secure
platform. Add one or more user principal aliases to the EligiblePrincipal
parameter:</p>
<pre>#----------------------------------------------------------------------
# Permitted Agents
#----------------------------------------------------------------------
Agent.1.Alias=Agent1
Agent.1.AutonomyLevel=Medium
Agent.1.ClassName=com.ibm.able.platform.examples.EServerTemplateAgent
Agent.1.ConstructorArgs=String:AgentName1
<span class="uicontrol">Agent.1.EligiblePrincipals=userPrincipal1,userPrincipal2</span>
Agent.1.EligibleAgentPools=Pool2,Pool3
Agent.1.InitArgs=
Agent.1.LastChangedDate=January 11, 2003 11:11am
Agent.1.Type=Tester1
Agent.1.Vendor=IBM1
Agent.1.Version=1.1</pre>
</li>
<li class="stepexpand"><span><strong>Define the algorithm and provider</strong></span> <p>You need
to define the algorithm and provider of the KeyPairs the platform will use.
By default, the preferences file will contain the following setting:</p>
<pre>#----------------------------------------------------------------------
# Cryptography parameters
#----------------------------------------------------------------------
CryptographyAlgorithm = DSA
CryptographyProvider  = IBMJCE</pre>
</li>
</ol>
<div class="section"><p>After you add the necessary security data to <span class="uicontrol">ableplatform.preferences</span>,
save your changes. Turning on security for the platform once it is correctly
configured is as simple as opening <span class="uicontrol">able.preferences</span> that
defines your platform, and changing the Security property to <span class="uicontrol">Security=on</span>.
If you are running an unsecured platform, you will need to end and restart
the agent platform for security changes to take effect.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahxagentsecure.htm" title="It is strongly recommended that you use Kerberos user and service principals to authenticate users, agent pools, and agent services to one another on or across a secure platform or distributed platform.">Secure your agent environment</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahxagentstartplatform.htm" title="After you define the agent platform and optionally secure your platform, you will need to start all the Java Virtual Machines associated with your agent services using iSeries CL commands.">Start the agent platform</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzahxagentkerberos.htm" title="The intelligent agent platform uses Kerberos principals to authenticate users and services throughout the agent platform. Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an insecure network.">Configure your platform to use Kerberos</a></div>
</div>
</div>
</body>
</html>