Operating Systems: i5/OS
Personalize the table of contents and search results
Asynchronous messaging - security considerations
This
topic describes considerations that you should be aware of if you want to
use security for asynchronous messaging with WebSphere Application Server.
Security for messaging is enabled
only when WebSphere Application Server administrative security is
enabled. In this case:
- JMS connections made to the JMS provider are authenticated.
- Access to JMS resources owned by the JMS provider is controlled by access
authorizations.
- Requests to create new connections to the JMS provider must provide a
user ID and password for authentication.
- The user ID and password do not need to be provided by the application.
If authentication is successful, then the JMS connection is created; if
the authentication fails then the connection request is ended.
Standard J2C authentication is used for a request to create a new connection
to the JMS provider. If your resource authentication (res-auth) is set to
Application, set the alias in the Component-managed Authentication Alias.
If the application that tries to create a connection to the JMS provider specifies
a user ID and password, those values are used to authenticate the creation
request. If the application does not specify a user ID and password, the values
defined by the Component-managed Authentication Alias are used. If the connection
factory is not configured with a Component-managed Authentication Alias, then
you receive a runtime JMS exception when an attempt is made to connect to
the JMS provider.
Restriction:
- User IDs longer than 12 characters cannot be used for authentication with
the V5 default messaging provider or WebSphere MQ. For example, the
default Windows NT user ID, Administrator, is not valid for use because
it contains 13 characters. Therefore, an authentication alias for a WebSphere
JMS provider or WebSphere MQ connection factory must specify a user ID no
longer than 12 characters.
- If
you want to use Bindings transport mode for JMS connections to WebSphere MQ,
you set the property Transport type=BINDINGS on the WebSphere MQ Queue
Connection Factory. You must also choose one of the following options:
- To use security
credentials, ensure that the user specified is the currently logged on user
for the WebSphere Application Server process. If the user specified is not
the current logged on user for the WebSphere Application Server process, then
the WebSphere MQ JMS Bindings authentication throws the error MQJMS2013
invalid security authentication supplied for MQQueueManager.
- Do not specify
security credentials. On the WebSphere MQ Connection Factory, ensure that
both the Component-managed Authentication Alias and the Container-managed
Authentication Alias properties are not set.
Authorization to access messages stored by the default messaging provider
is controlled by authorization to access the service integration bus destinations
on which the messages are stored. For information about authorizing permissions
for individual bus destinations, see Administering destination roles.
Related concepts
Styles of messaging in applications
WebSphere Application Server cloning and WebSphere MQ clustering
Related tasks
Learning about messaging with WebSphere Application ServerLearning
about service integration security