JMS security considerations
Security for asynchronous messaging is enabled only when global security is enabled. J2C authentication can be used to provide a username/password for authentication.
You can specify a Component-managed Authentication Alias or a Container-managed Authentication Alias for each connection factory, depending on the resource authentication (res-auth) setting:
- If res-auth specifies Application, configure a Component-managed Authentication Alias.
If the app specifies a username/password, those values are used to authenticate the creation request. If the app does not specify a username/password, the values defined by the Component-managed Authentication Alias are used.
If the connection factory is not configured with a Component-managed Authentication Alias, then you receive a runtime JMS exception when an attempt is made to connect to the JMS provider.
- If res-auth specifies Container, configure a Container-managed Authentication Alias
Those values are used to authenticate the creation request. If you do not specify an alias, then you receive a runtime JMS exception when an attempt is made to connect to the JMS provider.
If you want to use a WebSphere MQ JMS connection when using Bindings transport mode, you set the property Transport type of BINDINGS on the WebSphere MQ Queue Connection Factory. You must also choose one of the following options:
- Set security credentials
If the user specified is not the current logged on user for the WAS process, then the WebSphere MQ JMS Bindings authentication throws the error...MQJMS2013 invalid security authentication supplied for MQQueueManager
- Do not set security credentials.
On the WebSphere MQ Connection Factory, ensure that both the Component-managed Authentication Alias and the Container-managed Authentication Alias properties are not set.
For a clustered and distributed system that spans multiple machines, you will not want to use a Tranport type of BINDINGS. Rather, use Transport type of CLIENT.