Use the connection factory through an indirect lookup

When we are writing an enterprise application, if the JNDI name of the connection factory is unknown, or if the application is to be installed onto different application servers using a different connection factory, with a different JNDI name (depending on what application server it is installed onto), then the connection factory can be looked up using a resource reference. This can be done through an indirect lookup.


Example

Rather than directly looking up the connection factory using jms/myCF, an enterprise application contains a resource reference has the local JNDI name of: jms/myResourceReferenceCF.

To use this JNDI name, the application connects to the JNDI repository of the application server, in the same way as if the application is performing a direct look up: 
InitialContext ctx = new InitialContext();
Rather than identifying jms/myCF directly, the application now identifies the JNDI name of the resource reference: 
ConnectionFactory cf = (ConnectionFactory) ctx.lookup("java:comp/env/jms/myResourceReferenceCF");
You need the java:comp/env prefix for the local JNDI name, to tell the application server that the enterprise application is performing an indirect look up.

When the application is deployed, the user maps the JNDI name of the resource reference jms/myResourceReferenceCF to the JNDI name of the connection factory that the application has already created: jms/myCF.

When the application is run, it looks up a JMS connection factory using the local JNDI name, which the application server maps onto: jms/myCF. This connection factory is then used by the application to create a connection to IBM MQ .


Authentication aliases and indirect lookups

A resource reference also allows additional properties to be defined, that alter the behavior of the provided connection factory. One of the properties of a resource reference is res-auth. The value of this property specifies whether the enterprise application should use the authentication alias of the connection factory that the resource reference maps to when creating a connection to IBM MQ (if an authentication alias has been defined), or if the application is specifying its own user name and password.

The default value of this property is Application. This means that the user name and password that are flowed down to the queue manager, when a JMS connection is created, is determined by the application itself. The authentication alias of the connection factory that the resource reference maps to is not used.

Applications can create JMS connections using one of the following methods:

  • ConnectionFactory.createConnection()
  • ConnectionFactory.createConnection(String username, String password)

If an application uses ConnectionFactory.createConnection(), and res-auth is set to Application, the default user identity is flowed down to IBM MQ. This is the user name and password that started the application server where the enterprise application is running.

If an application uses ConnectionFactory.createConnection(String username, String password), and res-auth is set to Application, the user name and password passed in to the method are sent down to IBM MQ.

In order to use the authentication alias defined on the connection factory that the resource reference maps to when creating a connection, set the res-auth property to the value Container. When an application creates a JMS connection, the authentication alias details are used, even if the createConnection call specifies a user name and password.


Overriding the authentication alias when using an indirect lookup

If an application uses a resource reference that has the res-auth property set to Container, you can override the authentication alias that is used when JMS connections are created.

To override the authentication alias, the resource reference needs to include an extra property called authDataAlias, that maps to an existing authentication alias that has already been created in the application server environment into which the application will be deployed. We can specify this property on any resource references that are created using the Rational tooling provided by IBM.

Use this method, we can use a different authentication alias when using a JMS connection factory that has been looked up indirectly. If the authentication alias specified does not exist, then a new one can be specified after the enterprise application has been installed. For more information, see Resource references in the WebSphere Application Server product documentation.

Parent topic: Configure authentication aliases to secure WebSphere Application Server connection to IBM MQ


Related information for WebSphere Application Server Version 8.5.5


Related information for WebSphere Application Server Version 8.0


Related information for WebSphere Application Server Version 7.0