10 Securing Oracle Coherence Metrics
This chapter includes the following sections:
- About Securing Oracle Coherence Metrics
Coherence Metrics authentication and authorization are disabled by default and are enabled as required. - Basic Authentication for Coherence Metrics Http Acceptor
You can configure an HTTP acceptor to provide authentication for Coherence Metrics. - Using SSL Authentication With Oracle Coherence Metrics
You can use SSL to provide authentication for Coherence Metrics. SSL provides an authentication mechanism that relies on digital certificates and encryption keys to establish both identity and trust.
About Securing Oracle Coherence Metrics
Coherence Metrics authentication support includes: HTTP basic, client-side SSL certificate, and client-side SSL certificate together with HTTP basic.
See Using Coherence Metrics in Managing Oracle Coherence.
Parent topic: Securing Oracle Coherence Metrics
Basic Authentication for Coherence Metrics Http Acceptor
This section includes the following topics:
- Specify Basic Authentication for Coherence Metrics HTTP Acceptor
- Specify a Coherence Metrics Login Module
- Specify Basic Authentication for a Coherence Metrics HTTP Client
Parent topic: Securing Oracle Coherence Metrics
Specify Basic Authentication for Coherence Metrics HTTP Acceptor
The default metrics-http-config.xml is in
coherence-metrics.jar.
To specify basic authentication for an HTTP Acceptor, set the system
property cohererence.metrics.http.auth to the value
basic or override the default
metrics-http-config.xml and specify
<auth-method> child xml element to the value
basic.
Parent topic: Basic Authentication for Coherence Metrics Http Acceptor
Specify a Coherence Metrics Login Module
HTTP basic authentication requires a JAAS
javax.security.auth.spi.LoginModule implementation that
authenticates client credentials which are passed from the HTTP basic authentication
header. The resulting Subject can then be used for Oracle Coherence
Security Framework authorization as required. See LoginModule in Java Authentication and
Authorization Service (JAAS) Reference Guide.
To specify a login module, modify the
COHERENCE_HOME/lib/security/login.config
login configuration file and include a Coherence entry that includes the login module
implementation to use. For example:
CoherenceMetrics {
package.MyLoginModule required;
};
At runtime, specify the login.config file to use either from the command line (using the java.security.auth.login.config system property) or in the Java security properties file.
As a convenience, a Java keystore (JKS) LoginModule implementation which depends only on standard Java run-time classes is provided. The class is located in the COHERENCE_HOME/lib/security/coherence-login.jar file. To use the implementation, either place this library in the proxy server classpath or in the JRE's lib/ext (standard extension) directory.
Specify the JKS login module implementation in the login.config configuration file as follows:
CoherenceMetrics {
com.tangosol.security.KeystoreLogin required
keyStorePath="${user.dir}${/}security${/}keystore.jks";
};
The entry contains a path to a keystore. Change the keyStorePath variable to the location of a keystore.
Parent topic: Basic Authentication for Coherence Metrics Http Acceptor
Specify Basic Authentication for a Coherence Metrics HTTP Client
See Prometheus <scrape_config> configuration for
parameters on configuring scheme to https, basic_auth
with username and password.
Parent topic: Basic Authentication for Coherence Metrics Http Acceptor
Using SSL Authentication With Oracle Coherence Metrics
Client-side SSL certificates are passed to the HTTP acceptor to authenticate the client. SSL requires an SSL-based socket provider to be configured for the HTTP acceptor.
This section includes the following topics:
Parent topic: Securing Oracle Coherence Metrics
Configure a Coherence Metrics HTTP Acceptor SSL Socket Provider
Configure an SSL socket provider for an HTTP acceptor when using SSL for authentication. To configure SSL for an HTTP acceptor, explicitly add an SSL socket provider definition or reference an SSL socket provider definition that is in the operational override file.
Explicitly Defining an SSL Socket Provider
To explicitly configure an SSL socket provider for an HTTP acceptor, add a <socket-provider> element within the <http-acceptor> element of each <proxy-scheme> definition. See socket-provider in Developing Applications with Oracle Coherence. You can override the default metrics-http-config.xml by making a copy of it and placing the revised metrics-http-config.xml in classpath before coherence-metrics.jar occurs.
Example 10-1 demonstrates configuring an SSL socket provider that
uses the default values for the <protocol> and
<algorithm> element (TLS and
SunX509, respectively). These are shown for completeness but may be
left out when using the default values.
Example 10-1 configures both an identity keystore
(server.jks) and a trust keystore (trust.jks). This
is typical of two-way SSL authentication, in which both the client and proxy must
exchange digital certificates and confirm each other's identity. For one-way SSL
authentication, the proxy server configuration must include an identity keystore but
need not include a trust keystore.
Example 10-1 Sample HTTP Acceptor SSL Configuration
<proxy-scheme>
<service-name>MetricsHttpProxyService</service-name>
<acceptor-config>
<http-acceptor>
...
<socket-provider>
<ssl>
<protocol>TLS</protocol>
<identity-manager>
<algorithm>SunX509</algorithm>
<provider system-property="coherence.metrics.security.keystore.provider"/>
<key-store>
<url system-property="coherence.metrics.security.keystore">file:server.jks</url>
<password system-property="coherence.metrics.security.keystore.password"/>
<type>JKS</type>
</key-store>
<password system-property="coherence.metrics.security.identitymanager.password”/>
</identity-manager>
<trust-manager>
<algorithm/>SunX509</algorithm>
<provider system-property="coherence.metrics.security.truststore.provider"/>
<key-store>
<url system-property="coherence.metrics.security.truststore">file:truststore.jks</url>
<password system-property="coherence.metrics.security.truststore.password"/>
<type>JKS</type>
</key-store>
</trust-manager>
</ssl>
</socket-provider>
...
<auth-method>cert</auth-method>
</http-acceptor>
</acceptor-config>
<autostart>true</autostart>
</proxy-scheme>
Referencing an SSL Socket Provider Definition Using Coherence Metrics
The following example references an SSL socket provider configuration that is defined in the <socket-providers> element of the operational deployment descriptor by specifying the id attribute (ssl) of the configuration. See socket-providers in Developing Applications with Oracle Coherence.
Note:
A predefined SSL socket provider is included in the operational deployment descriptor and is named ssl. The predefined SSL socket provider is configured for two-way SSL connections and is based on peer trust, in which every trusted peer resides within a single JKS keystore. See Coherence PeerX509 Algorithm. To configure a different SSL socket provider, use an operational override file to modify the predefined SSL socket provider or to create a socket provider configuration as required.
<proxy-scheme>
<service-name>MetricsHttpProxy</service-name>
<acceptor-config>
<http-acceptor>
...
<socket-provider>ssl</socket-provider>
...
<auth-method>cert</auth-method>
</http-acceptor>
</acceptor-config>
<autostart>true</autostart>
</proxy-scheme>
Configuring HTTP Client-Side in Prometheus Configuration
Prometheus is an HTTP client metrics gathering system that is used to scrape
the Coherence Metrics endpoints. See Prometheus <scrape_config>
configuration for parameters to configure scheme to
https and basic_auth with username
and password. See Prometheus <tls_config>
configuration to configure TLS connections.
Parent topic: Using SSL Authentication With Oracle Coherence Metrics