How to setup Gatekeeper ACL using object interface with Naming Service

Problem:

• Product Name: BES (VisiBroker Edition)
• Product Version: 6.5
• Product Component: Gatekeeper
• Platform/OS Version: all supported version
• JDK/Compiler Version: all supported version

How to setup Gatekeeper ACL using object interface with Naming Service

Resolution:

This article describes how to setup Gatekeeper ACL using object interface, which is not documented in the Gatekeeper Guide. The solution extends the knowledge further by including the usage of Naming Service and Smart Agent.

The attached solution shows how a simple VBJ Client can access a VBJ Server, via Naming Service and Smart Agent. The security setting in Gatekeeper is set to deny all access by default, only enabling access based on object interface.

gatekeeper.properties to include access to Naming Service and the ACL setting:

vbroker.orb.initRef=NameService=corbaloc::localhost:32010/NameService
vbroker.orb.dynamicLibs=com.inprise.vbroker.gatekeeper.security.Init
vbroker.gatekeeper.security.accessControllers=money
vbroker.gatekeeper.security.acl.money.default=deny
vbroker.gatekeeper.security.acl.money.rules=rule1,rule2,rule3
vbroker.gatekeeper.security.acl.money.rule1=grant[operation="*"[object interface="IDL:Money/Accounting:1.0"]]
vbroker.gatekeeper.security.acl.money.rule2=grant[operation="*"[object interface="IDL:omg.org/CosNaming/ExtendedNamingContextFactory:1.0"]]
vbroker.gatekeeper.security.acl.money.rule3=grant[operation="*"[object interface="IDL:omg.org/CosNaming/NamingContextExt:1.0"]]

Server.properties to include the gatekeeper proxy:

vbroker.orb.dynamicLibs=com.inprise.vbroker.firewall.Init
vbroker.orb.exportFirewallPath=true
vbroker.se.iiop_tp.firewallPaths=internet
vbroker.firewall-path.internet=proxy
vbroker.firewall.proxy.type=PROXY
vbroker.firewall.proxy.ior=IOR

Client.properties to include the gatekeeper proxy:

vbroker.orb.alwaysProxy=true
vbroker.orb.dynamicLibs=com.inprise.vbroker.firewall.Init
vbroker.orb.gatekeeper.ior=IOR
vbroker.orb.defAddrMode=2

Note that vbroker.orb.alwaysProxy=true and vbroker.orb.defAddrMode=2 are required for Client to be able to connect via object interface.

Steps to run the test:

1. Start Smart Agent
2. Start Gatekeeper using start_gk.bat script
3. Start Naming Service using start_ns.bat script
4. Start Server using start_server.bat script
5. Start Client using start_client.bat script