Asynchronous messaging - security considerations

This topic describes considerations that you should be aware of if you want to use security for asynchronous messaging with WebSphere Application Server.

[AIX HP-UX Linux Solaris Windows] [iSeries] Security for messaging is enabled only when WebSphere Application Server administrative security is enabled. In this case:

[z/OS] When security for messaging is enabled:

[z/OS] Note: Users exploiting the connector thread identity support do not have to provide a user ID and password for authentication (see the subsequent links).

If authentication is successful, then the JMS connection is created; if the authentication fails then the connection request is ended.

Standard J2C authentication is used for a request to create a new connection to the JMS provider. If your resource authentication (res-auth) is set to Application, set the alias in the Component-managed Authentication Alias. If the application that tries to create a connection to the JMS provider specifies a user ID and password, those values are used to authenticate the creation request. If the application does not specify a user ID and password, the values defined by the Component-managed Authentication Alias are used. If the connection factory is not configured with a Component-managed Authentication Alias, then you receive a runtime JMS exception when an attempt is made to connect to the JMS provider.

[z/OS] If your res-auth property is set to Container, you can set the Container-managed Authentication Alias on the Connection Factory, and specify the user ID and password within this alias. If you are running in Bindings transport mode (that is, the TransportType property on the Connection Factory is set to "BINDINGS"), then you can also exploit the connector thread identity function instead of specifying a container-managed alias. For more information, see Connection thread identity and Using thread identity support.

[z/OS] If you are working with a message-driven bean and are configuring a message-driven bean listener under the Message Listener Service, see Configuring security for message-driven beans that use listener ports for more information.

[z/OS]
Note: In addition to the authorization needed for creating a connection to a JMS provider that you set up when creating a JMS Connection, you also typically need authorization to access specific JMS resources associated with that JMS Provider for example, permission to write to a given queue. For more information about using WebSphere MQ as your JMS provider, see the WebSphere MQ documentation library: http://www.ibm.com/software/integration/wmq/library.
Restriction:
  1. User IDs longer than 12 characters cannot be used for authentication with the Version 5 default messaging provider or WebSphere MQ. For example, the default Windows NT user ID, Administrator, is not valid for use because it contains 13 characters. Therefore, an authentication alias for a WebSphere JMS provider or WebSphere MQ connection factory must specify a user ID no longer than 12 characters.
  2. [AIX HP-UX Linux Solaris Windows] [iSeries] If you want to use Bindings transport mode for JMS connections to WebSphere MQ, you set the property Transport type=BINDINGS on the WebSphere MQ Queue Connection Factory. You must also choose one of the following options:
    • To use security credentials, ensure that the user specified is the currently logged on user for the WebSphere Application Server process. If the user specified is not the current logged on user for the WebSphere Application Server process, then the WebSphere MQ JMS Bindings authentication throws the error MQJMS2013 invalid security authentication supplied for MQQueueManager.
    • Do not specify security credentials. On the WebSphere MQ Connection Factory, ensure that both the Component-managed Authentication Alias and the Container-managed Authentication Alias properties are not set.

Authorization to access messages stored by the default messaging provider is controlled by authorization to access the service integration bus destinations on which the messages are stored. For information about authorizing permissions for individual bus destinations, see Administering destination roles through the command line.




Related concepts
Styles of messaging in applications
WebSphere Application Server cloning and WebSphere MQ clustering
Learning about service integration security
Related tasks
Learning about messaging with WebSphere Application Server
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 2:56:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=cm_secty
File name: cm_secty.html