JBoss.orgCommunity Documentation
The Teiid system provides a range of built-in and extensible security features to enable the secure access of data.
JDBC clients may use simple passwords to authenticate a user.
Typically a user name is required, however user names may be considered optional if the identity of the user can be discerned by the password credential alone. In any case it is up to the configured security domain to determine whether a user can be authenticated.
By default, access to Teiid is NOT secure. The default login modules are only backed by file based authentication, which has a well known user name and password. The same is true for making connections to the Admin Console application. We DO NOT recommend leaving the default security profile as defined when you are exposing sensitive data.
Authorization covers both administrative activities and data roles. A data role is a collection of permissions (also referred to as entitlements) and a collection of entitled principals or groups. With the deployment of a VDB the deployer can choose which principals and groups have which data roles.
At a transport level Teiid provides built-in support for JDBC over SSL or just sensitive message encryption when SSL is not in use.
Passwords in configuration files however are by default stored in plain text. If you need these values to be encrypted, please see encrypting passwords for instructions on encryption facilities provided by the container.
LoginModules are an essential part of the JAAS security framework and provide Teiid customizable user authentication and the ability to reuse existing LoginModules defined for JBossAS. See JBossAS Security for general information on configuring security in JBossAS.
Teiid can be configured with multiple named application policies that group together relevant LoginModules. Each of these application policy (or domains) names can be used to fully qualify user names to authenticate only against that domain. The format for a qualified name is username@domainname.
If a user name is not fully qualified, then the installed domains will be consulted in order until a domain successfully or unsuccessfully authenticates the user.
If no domain can authenticate the user, the logon attempt will fail. Details of the failed attempt including invalid users, which domains were consulted, etc. will be in the server log with appropriate levels of severity.
The security-domain defined for the JDBC connection and Admin connections are separate. The default name of JDBC connection's security-domain is "teiid-security". The default name for Admin connection is "jmx-console". For the Admin connection's security domain, the user is allowed to change which LoginModule that "jmx-console" pointing to, however should not change the name of the domain, as this name is shared between the "admin-console" application.
JBossAS provides several LoginModules for common authentication needs, such as authenticating from text files or LDAP.
The UsersRolesLoginModule, which utilizes simple text files to authenticate users and to define their groups. The teiid-jboss-beans.xml configuration file contains an example of how to use UsersRolesLoginModule. Note that this is typically not for production use.
See LDAP LoginModule configuration for utilizing LDAP based authentication. If you want use a your own Custom Login module, check out the Developer's Guide for instructions.
The Teiid's configuration file
<jboss-install>/server/<profile>/deploy/teiid/teiid-jboss-beans.xml,
contains the properties to configure SSL.
There are two separate connection profiles:
JDBC Connection - The JdbcSslConfiguration bean configuration defines this.
Admin Connection - The AdminSslConfiguration bean configuration defines this.
Example 3.1. Example Configuration
<bean name="JdbcSslConfiguration" class="org.teiid.transport.SSLConfiguration">
<property name="sslEnabled">false</property>
<property name="keystoreFilename">cert.keystore</property>
<property name="keystorePassword">passwd</property>
<property name="keystoreType">JKS</property>
<property name="sslProtocol">SSLv3</property>
<property name="keymanagementAlgorithm">false</property>
<property name="truststoreFilename">cert.truststore</property>
<property name="truststorePassword">passwd</property>
<!-- 1-way, 2-way, anonymous -->
<property name="authenticationMode">1-way</property>
<property name="clientEncryptionEnabled">true</property>
</bean>Properties
sslEnabled - true|false, SSL usage either turned ON or OFF
sslProtocol- Type of SSL protocol to be used. Default is SSLv3
keystoreType - Keystore type created by the keytool. Default "JKS" is used.
authenticationMode - anonymous|1-way|2-way, Type of SSL mode, see above about different SSL modes available.
keymanagementAlgorithm - Type of key algorithm used. Default is based upon the VM, e.g. "SunX509"
keystoreFilename - The file name of the keystore, which contains the private key of the Server. This must be available in the classpath of Teiid Server
keystorePassword - password for the keystore.
truststoreFilename - if "authenticationMode" is chosen as "2-way", then this property must be provided. This is the truststore that contains the public key for the client. Depending upon how you created the keystore and truststores, this may be same file as defined under "keystoreFilename" property.
truststorePassword - password for the truststore.