Service integration bus security
Bus security can be turned on or off at the time of bus creation, or afterward. For the bus security to be activated, administrative security must be enabled.
Every bus has an optional inter-engine authentication alias that can be specified. If this property is left unset, then it will default to none and be ignored. However, if an alias is specified and security enabled, then the ID will be checked when each messaging engine starts communicating with other messaging engines in the bus.
A list of permitted transport chains can be defined that may be used to access a secured bus. There are three modes:
- allow all defined transport chains
- allow only SSL enabled transport chains
- allow only those transport chains in a list defined by the administrator
The mediations authentication alias is used to authorize any mediation processes trying to access the secured bus.
External clients that need to access the bus need to be added to the bus connector role. By default, if the client has not been added, they will be denied access, even if they have valid credentials.
Options...
- Allow only servers that are members of the bus to connect to the bus
- Allow all authenticated users to connect to the bus
- Allow everyone (including unauthenticated users) to connect to the bus
To authenticate...
- Connection factory connections authenticate using an athentication alias or with a user/password on the call to...
ConnectionFactory.createConnection()
- Activation specifications authenticate using an authentication alias.
If a connection factory is looked up in the server JNDI from outside of the server environment (for example, from the client container), any authentication alias defined on the connection factory will be unavailable. This prevents unauthorized use of an authenticated connection factory.
JMS clients outside of the server can provide a user name and password on the call to create a connection. If the client is a J2EE client application running in the WebSphere application client environment, it is possible to define an authenticated connection factory resource in the .ear file.
Details on WebSphere security can be found in WAS V6.1 Security Handbook, SG24-6316.