Use the connection factory through a direct lookup
After an IBM MQ messaging provider connection factory has been defined, an enterprise application can look up the connection factory definition and use it to create a JMS connection to an IBM MQ queue manager. This can be done through a direct look up.
To use a direct lookup, an enterprise application connects to the JNDI repository of the application server, by making the following method call:InitialContext ctx = new InitialContext();Once it has connected to the JNDI repository, the enterprise application then identifies the connection factory definition using the JNDI name of the connection factory, as follows:
ConnectionFactory cf = (ConnectionFactory) ctx.lookup("jms/myCF");Notes:
- Your application developer needs to know the JNDI name of the required connection factory when the enterprise application is being developed. Because the JNDI name is hard coded inside the application, if the JNDI name changes, we need to re-write and re-deploy the application.
- When a connection factory definition is used in this way, the user name and password specified in the authentication alias (that the connection factory has been configured to use) are not flowed down to IBM MQ. This is to prevent unauthorized applications from identifying the connection factory, and being able to use it to connect to secure IBM MQ systems.
The user name and password that are flowed down to IBM MQ depends on the method that is used to create the JMS connection from the connection factory.
If an application creates a JMS connection using the method:ConnectionFactory.createConnection()the default user identity is passed down to IBM MQ. This is the user name and password that started the application server where the enterprise application is running. Alternatively, an application can create a JMS connection is by calling the method:
ConnectionFactory.createConnection(String username, String password)
If an application has performed a direct look up of a connection factory, and then called this method, the user name and password that were passed into the createConnection() method are flowed down to IBM MQ.
Important: Prior to IBM MQ Version 8.0, IBM MQ processed an authorization check, only to make sure that the user name that had been flowed down, had the authority to access the queue manager.No checks were made on the password. In order to perform an authentication check, and validate that the user name and password were valid, an IBM MQ channel security exit must be written. Details on how to do this can be found in Channel security exit programs.
From IBM MQ Version 8.0, the queue manager checks the password in addition to the user name.
Parent topic: Configure authentication aliases to secure WebSphere Application Server connection to IBM MQ