Secure messaging
The steps to take to secure asynchronous messaging.
Security for messaging is enabled only when WebSphere Application Server administrative security is enabled. In this case:
- JMS connections made to a messaging provider are authenticated.
- Access to JMS resources owned by a messaging provider is controlled by access authorizations.
- Requests to create new connections to a messaging provider must include a user ID and password for authentication.
- The user ID and password do not have to be provided by the application.
Standard Java EE Connector Architecture (JCA) authentication is used for a request to create a new connection to a messaging provider. If authentication is successful, the JMS connection is created; if authentication fails, the connection request is ended.
- User IDs that are longer than 12 characters cannot be used for authentication with an IBM MQ network. For example, the default Windows NT user ID "Administrator" is not valid for use in this context because it contains 13 characters.
- Users that exploit the connection thread identity support do not have to provide a user ID and password for authentication.
- In addition to the authorization needed for creating a connection to a messaging provider, you also typically need authorization to access specific JMS resources associated with that provider. For example, if we are using the IBM MQ messaging provider to connect to an IBM MQ network, we might also need permission from the IBM MQ network to write to a given queue.
- To enable the IBM MQ messaging provider to connect in bindings transport mode to IBM MQ, we set theTransport type parameter on the IBM MQ queue connection factory to BINDINGS, and you configure the IBM MQ messaging provider with native libraries information.
We must also choose one of the following options:
- If we are using security credentials (user ID and password), ensure that the user specified is the current logged-on user for the WAS process, otherwise the following IBM MQ JMS Bindings authentication exception message is generated: MQJMS2013 invalid security authentication supplied for MQQueueManager.
- If we are not using security credentials, ensure that neither the Component-managed Authentication Alias nor the Container-managed Authentication Alias properties are set on the connection factory.
To secure your asynchronous messaging, complete one or more of the following steps:
Tasks
- Enable security.
- Use JCA authentication to create a new connection to the messaging provider.
If the resource authentication (res-auth) property is set to Application, set the Component-managed Authentication Alias property on the connection factory. If the application that tries to create a connection to the messaging provider specifies a user ID and password, those values are then used to authenticate the creation request. Otherwise, the values defined by the Component-managed Authentication Alias property are used. If we do not set the Component-managed Authentication Alias property on the connection factory, a runtime JMS exception message is generated when an attempt is made to connect to the messaging provider.
(ZOS) If the res-auth property is set to Container, set the Container-managed Authentication Alias property on the connection factory, and specify the user ID and password within this alias. If we are using bindings transport mode, then we can use the connection thread identity support instead of specifying a container-managed alias.
- Authorize access to messages stored by the default messaging provider.
Access to these messages is controlled by authorization to access the service integration bus destinations on which the messages are stored. For information about authorizing permissions for individual bus destinations, see Administer destination roles.
- Configure security for message-driven beans that use listener ports
Complete this step if we are working with a message-driven bean and are configuring a message-driven bean listener under the Message Listener Service.
Subtopics
- Configure security for message-driven beans that use activation specifications
Configure resource security and security permissions for message-driven beans.- Configure security for message-driven beans that use listener ports
For non-Java EE Connector Architecture (JCA) messaging providers, the association between connection factories, destinations, and message-driven beans is provided by listener ports. In this case, we can configure resource security and security permissions for message-driven beans by setting the container-managed alias. The MDB listener's security information is established when the MDB listener's JMS Connection is created.
Related:
Service integration security Configure the IBM MQ messaging provider with native libraries information