WebSphere MQ server - connection and authentication

Each WebSphere® MQ server definition includes the connection properties and authentication settings that service integration uses to connect to the associated WebSphere MQ queue manager or queue sharing group, either for resource discovery or for messaging.

Connection

Service integration connects to the WebSphere MQ network in the following situations:
  • When, as part of the process of creating a WebSphere MQ server through the administrative console, the automatic resource discovery process runs to capture resource information direct from WebSphere MQ. The wsadmin commands do not support automatic discovery of resources.
  • When the WebSphere MQ server is used to pass messages between service integration and WebSphere MQ.

The connection access path is determined by the host, port, transport chain and WebSphere MQ connection channel that you specify when you create the WebSphere MQ server definition. You get this information from the WebSphere MQ system administrator. The connection access path is also affected by the connection mode that you specify:

For more information about the mechanisms used to connect to WebSphere MQ for z/OS, see the WebSphere MQ for z/OS System Setup Guide.

Authentication

The WebSphere MQ system administrator will probably want service integration to authenticate with WebSphere MQ whenever it connects. This happens whenever message data needs to be exchanged with a queue point or a mediation point that is assigned to a WebSphere MQ server bus member, and when the automated resource discovery process runs while you are configuring a WebSphere MQ server using the administrative console.

The WebSphere MQ system administrator might also want to set up two different user accounts on the WebSphere MQ system: one with only the privileges needed for resource discovery, and one with only the privileges needed for messaging. The WebSphere MQ server definition supports this requirement by allowing you to configure the MQ server with two authentication aliases, corresponding to these two accounts.

Authentication aliases are restricted to a maximum 12 characters in length, because the user identifier that WebSphere MQ uses for checking the identity of new connections also has this restriction. If authentication aliases exceed 12 characters in length, they are truncated.

If you are using Resource Access Control Facility (RACF®) as the security manager on your WebSphere MQ for z/OS system, and using bindings transport mode, you must specify in uppercase characters the user names and passwords for authentication aliases. If you are using RACF and client transport mode, you can specify the user names and passwords in either upper or lower case characters.

Where an authentication alias exists, the user name and password it contains are examined by WebSphere MQ using a WebSphere MQ channel security exit. WebSphere MQ for z/OS provides a sample security exit CSQ4BCX3, which demonstrates how you can perform authentication based on this information.

When messages are sent to WebSphere MQ for resource discovery, the MQPMO_SET_IDENTITY_CONTEXT option is used. The credentials used to establish a messaging connection must have authority to assert this.

The connection mode you use for connecting to WebSphere MQ affects which credentials are used:

Overriding the connection and authentication settings

When you add the WebSphere MQ server definition to a service integration bus to make it a bus member, you can override the server settings and authentication alias used for messaging, with the connection settings and authentication alias used by the bus. This option allows you to create a bus-specific instance of that server and is useful in a multiple bus configuration. Typically you would do this to differentiate connections from different buses and, potentially, to apply different security settings.




Subtopics
User identification
Related concepts
Learning about interoperating with WebSphere MQ using a WebSphere MQ server
Related tasks
Creating a WebSphere MQ server definition
Related reference
createSIBWMQServer command
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 8:21:57 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-express-iseries&topic=cjfp0018_
File name: cjfp0018_.html