Security Token Files

When a security domain requestor uses a security token file to connect to a metaspace, ActiveSpaces uses the contents of the security token to:

Restrict the metaspaces to which a security domain requestor can connect.

Ensure the identity of the security domain controller.

Determine the level of transport security the security domain requestor should use for TCP communication.

The same token file can be shared by different security domain requestors. If you use the same token file for different requestors, consider the following:

  • If the token does not have an ID, the tokens used by different requestors on the same metaspace will probably look the same.
  • However, if the tokens do have an ID, you should avoid sharing it as their certificates will be the same.
  • Creating a Security Token File
    You generate a security token file from a security policy file using the Admin CLI.and an existing security policy file.
  • Limiting Metaspace Access
    Typically, you do not need to edit a security token file. The one case where you might want to edit a security token file is when a security domain is associated with more than one metaspace, but you want to make sure that a security token file can only be used to connect to a specific metaspace.
  • Validating a Security Token File
    You validate security token files using the Admin CLI. After you have finished generating or editing a security token file, you should validate the file to make sure that the token file is valid before you try to actually use it. The following example shows the Admin CLI command to validate a security token file:
  • Security Token File Keys and Certificates
    When you generate a security token file from a security policy file, the public certificate of the domain identity in the security policy file is copied to the security token file. When a security domain requestor attempts to connect to a metaspace using the security token file, the connection fails if the public certificate in the security token file does not match the security domain controller's identity certificate.
  • Metaspace Access List
    Each domain defined in a security policy file contains a Metaspace Access List. The Metaspace Access List restricts the security behavior defined by the settings for its security domain to only those metaspaces specified in the list. A metaspace can only belong to one security domain.