This site hosts historical documentation. Visit www.terracotta.org for recent product information.
The Enterprise Edition of the Terracotta kit provides standard authentication methods to control access to Terracotta servers. Enabling one of these methods causes a Terracotta server to require credentials before allowing a JMX connection to proceed.
You can choose one of the following to secure servers:
See the advanced security page to learn how to use Secure Sockets Layer (SSL) encryption and certificate-based authentication to secure enterprise versions of Terracotta clusters.
Lightweight Directory Access Protocol (LDAP) security is based on JAAS and requires Java 1.6. Using an earlier version of Java will not prevent Terracotta servers from running; however security will not be enabled.
To configure security using LDAP, follow these steps:
Save the following configuration to the file .java.login.config
:
Terracotta {
com.sun.security.auth.module.LdapLoginModule REQUIRED
java.naming.security.authentication="simple"
userProvider="ldap://orgstage:389"
authIdentity="uid={USERNAME},ou=People,dc=terracotta,dc=org"
authzIdentity=controlRole
useSSL=false
bindDn="cn=Manager"
bindCredential="****"
bindAuthenticationType="simple"
debug=true;
};
Edit the values for userProvider
(LDAP server), authIdentity
(user identity), and bindCredential
(encrypted password) to match the values for your environment.
Save the file .java.login.config
to the directory named in the Java property user.home
.
Add the following configuration to each <server> block in the Terracotta configuration file:
<server host="myHost" name="myServer">
...
<authentication>
<mode>
<login-config-name>Terracotta</login-config-name>
</mode>
</authentication>
...
</server>
Start the Terracotta server and look for a log message containing "INFO - Credentials: loginConfig[Terracotta]" to confirm that LDAP security is in effect.
If security is set up incorrectly, the Terracotta server can still be started. However, you may not be able to shut down the server using the shutdown script (**stop-tc-server**) or the Terracotta console. |
There are two roles available for Terracotta servers and clients:
admin – The user with the "admin" role is the initial user who sets up security. Thereafter, the "admin" user can perform system functions such as shutting down servers, clearing or deleting caches and cache managers, and reloading configurations.
terracotta – This is the operator role. The default username for the operator role is "terracotta". The "terracotta" user can connect to the TMC and access the read-only areas. In addition, the "terracotta" user can start a secure server. But a user must have the "admin" role in order to run the stop-tc-server script.
Since JMX messages are not encrypted, server authentication does not provide secure message transmission once valid credentials are provided by a listening client. To extend security beyond the login threshold, consider the following options: