User identification
Service integration messages contain two user IDs - a system user ID and an application user ID. WebSphere MQ can set the user identifier field of the WebSphere MQ message descriptor (MQMD) from the system user ID used in the service integration message. Additional processing is required to preserve the service integration application user ID when interoperating with WebSphere MQ by using a WebSphere MQ server.
Service integration messages contain two user IDs:
- a system user ID: In general, the system user ID is set to the identity of the user that produced the message, which is specified when the user connects to the bus. The system user ID stored in the message cannot be modified by application code.
- an application user ID: This corresponds to the JMSXUserID message property and can be set by application code.
WebSphere MQ can be configured to set the user identifier field of the WebSphere MQ message descriptor (MQMD) from the system user ID used in the service integration message. However, there is only one field for user IDs in the MQMD. If the destination permits the use of MQRFH2 headers, the application user ID present in the message is placed into the <sib> folder of the RFH2 header using a key of jsApiUserId. When a message is received from queue points or mediations points localized on a WebSphere MQ server bus member then, depending on whether the associated WebSphere MQ server definition permits the user IDs to be trusted, the following actions are completed:
- If the WebSphere MQ server is configured to trust user IDs, the system user ID in the service integration message is copied from the user ID in the MQMD.
- If the WebSphere MQ server is not configured to trust user IDs, the system user ID in the service integration message is set to the name of the WebSphere MQ server from which the message has been received.
Consider an example where the following objects have been configured:
- A WebSphere MQ server, QM1
- A WebSphere MQ server bus member with the trustUserIds attribute set to FALSE.
- A queue-type destination, Q1 assigned to the WebSphere MQ server bus member.
If we configured these objects, when a message is received from Q1, the user ID is always set to QM1 (ignoring the user ID that exists in the message). This happens because the WebSphere MQ server bus member does not trust the user IDs received in inbound messages, instead it always uses the name of the WebSphere MQ server that the message is received from.
Regardless of how the system user ID of the service integration message is set, the application user ID is always set from the jsApiUserId RFH2 value. If this is not present, either because the value pair is not present in the <sib> folder of the RFH2 header, or because the message does not have a RFH2 header, then this field will not be set.
As security user IDs are transported in the MQMD message descriptor, they are limited to 12 characters in length. Longer user IDs are truncated.
Related tasks
Create a WebSphere MQ server definition
createSIBWMQServer command