Use authentication aliases with enterprise applications
When an enterprise application running inside of WebSphere Application Server attempts to create a JMS connection to IBM MQ, the application looks up an IBM MQ messaging provider connection factory definition from the Java Naming Directory Interface (JNDI) repository of the application server.
When the IBM MQ messaging provider connection factory definition is located from within the JNDI repository of the application server, one of the following methods is called:- ConnectionFactory.createConnection()
- ConnectionFactory.createConnection(String username, String password)
If the connection factory has been configured with a J2C authentication alias defined, then the user name and password in the authentication alias can be flowed down to IBM MQ when the connection factory is used to create a connection.
Connection factories and authentication aliases
IBM MQ messaging provider connection factories contain information on how to connect to IBM MQ queue managers. Enterprise applications running inside of WebSphere Application Server can use the connection factories to create JMS connections to IBM MQ.
WebSphere Application Server stores connection factories definitions in a repository that can be accessed using the JNDI. When a connection factory is created, the connection factory is given a JNDI name to uniquely identify it at the application server scope (either the Cell, Node or Server scope) at which it has been defined.
For example, an IBM MQ messaging provider connection factory defined at the WebSphere Application Server Cell scope contains information on how to connect to the queue manager (myQM) using the BINDINGS transport. This connection factory is given the JNDI name jms/myCF to uniquely identify it.
Connection factories can also be configured to use an authentication alias. Authentication aliases map to a user name and password combination. Depending on how the connection factory is used, the user name and password in the authentication alias might, or might not, be flowed down to IBM MQ when the JMS connection is created.
Important: Prior to IBM MQ Version 8.0, the default IBM MQ Object Authority Manager (OAM) performed an authorization check, only to ensure that the user name passed down to IBM MQ, when a connection is made, had the authority to access the queue manager.No checks were made to validate the password that was specified. In order to perform an authentication check, and validate that the user identifier and password match, you needed to write an IBM MQ channel security exit. Details on how to do this can be found in Channel security exit programs.
From IBM MQ Version 8.0, the queue manager checks the password in addition to the user name.
Use the connection factory
The following topics contain information about using the connection factory using direct and indirect look ups:- Use the connection factory through a direct lookup
- Use the connection factory through an indirect lookup
Use the CLIENT transport
Connection factories that are configured to use the CLIENT transport must specify which IBM MQ server connection channel (SVRCONN) they are going to use to connect to the queue manager.
If the IBM MQ channel agent user identifier (MCAUSER) property remains blank for the channel that the connection factory has been configured to use, then the connection factory can be used with either a direct look up, or indirect look up.
If the MCAUSER property is set to a user identifier, this user identifier is passed down to IBM MQ when the connection factory is used to create a connection to IBM MQ, regardless of whether the enterprise application is using a direct or indirect look up.
Summary tables
The following tables summarize what user identifiers are flowed down to IBM MQ when the BINDINGS transport, and the CLIENT transport, respectively are used:
| Configuration | Application calls ConnectionFactory.createConnection() | Application calls ConnectionFactory.createConnection(String username, String password) |
|---|---|---|
| Application's deployment descriptor does not contain a Resource Reference for the connection factory | The user identifier for the application server process is flowed down to IBM MQ. | The user identifier and password that were passed into the ConnectionFactory.createConnection(String username, String password) method are flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory and the res-auth property is set to "Application" | The user identifier for the application server process is flowed down to IBM MQ. | The user identifier and password that were passed into the ConnectionFactory.createConnection(String username, String password) method are flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory and the res-auth property is set to "Container" | The user identifier and password specified in the authentication alias for the connection factory are flowed down to IBM MQ. | The user identifier and password specified in the authentication alias for the connection factory are flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property set to "Container" and the application has been configured with an authentication alias | The user identifier and password specified in the authentication alias that the application has been configured to use are flowed down to IBM MQ. | The user identifier and password specified in the authentication alias that the application has been configured to use are flowed down to IBM MQ. |
| Configuration | Application calls ConnectionFactory.createConnection() | Application calls ConnectionFactory.createConnection(String username, String password) |
|---|---|---|
| Application's deployment descriptor does not contain a Resource Reference for the connection factory and the connection factory is configured to use a IBM MQ channel that has the MCAUSER property unset | The user identifier for the application server process is flowed down to IBM MQ. | The user identifier and password that were passed into the ConnectionFactory.createConnection(String username, String password) method are flowed down to IBM MQ. |
| Application's deployment descriptor does not contain a Resource Reference for the connection factory and the connection factory is configured to use a IBM MQ channel that has the MCAUSER property set to a user identifier | The user identifier specified by the MCAUSER property on the IBM MQ channel the connection factory is configured to use is flowed down to IBM MQ. | The user identifier specified by the MCAUSER property on the IBM MQ channel the connection factory is configured to use is flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to Application and the connection factory is configured to use a IBM MQ channel that has the MCAUSER property unset | The user identifier for the application server process is flowed down to IBM MQ. | The user identifier and password that were passed into the ConnectionFactory.createConnection(String username, String password) method are flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to Application and the connection factory is configured to use a IBM MQ channel that has the MCAUSER property set to a user identifier | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to"Container and the connection factory is configured to use a IBM MQ channel that has the MCAUSER property unset | The user identifier and password specified in the authentication alias for the connection factory are flowed down to IBM MQ. | The user identifier and password specified in the authentication alias for the connection factory are flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to"Container and the connection factory is configured to use a IBM MQ channel that has the MCAUSER property set to a user identifier | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to"Container and the application has been configured with an authentication alias and the connection factory is configured to use a IBM MQ channel that has the MCAUSER property unset | The user identifier and password specified in the authentication alias that the application has been configured to use are flowed down to IBM MQ. | The user identifier and password specified in the authentication alias that the application has been configured to use are flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to Container and the application has been configured with an authentication alias and the connection factory is configured to use a IBM MQ channel that has the MCAUSER set to a user identifier | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. |