Client authentication on a service integration bus
When a client application attempts to connect to a messaging engine on a secure service integration bus, the client application provides credentials to the server that are checked against the user registry.
Client authentication is one security mechanism for protecting the bus from unauthorized access, alongside authorization, and transport encryption. Client authentication is effective only when administrative security is enabled on WebSphere Application Server, and messaging security is enabled on the bus.
A connecting client application provides credentials that the server verifies against the user registry. The following types of credential are permitted:
- User ID and password
- X509 certificate
The security administrator specifies the type of user registry when configuring administrative security.
WAS v6 supports different types of user registry, including federated repositories.
WAS v7.0 or later can use the user registry from the administrative domain, or the bus or cell domains.
The bus security administrator checks that the credentials for the connecting client are valid in the user registry for the cell hosting the bus. If the server is enabled to allow a JMS client application to use SSL client authentication, a stand-alone LDAP user registry is required.
When application code in an EJB or web container invokes the JMS client, and accesses it as a J2EE Connector Architecture (JCA) resource, authentication is determined by whether the application code has been configured to allow container-managed or application-managed sign-on to resources. For further details, see Java EE connector security.
If an application fails to authenticate, a JMSSecurityException is thrown.
Related:
Role-based authorization Java EE connector security Administer authorization permissions Select a registry or repository