Configure JAAS for AMQP channels
Java Authentication and Authorization Service (JAAS) custom modules can be used to authenticate username and password credentials passed to an AMQP channel by an AMQP client when it connects.
About this task
We might want to use a custom JAAS module if you already use JAAS modules for authentication in other Java-based systems, and want to reuse those modules for authenticating AMQP connections to MQ. Alternatively, you might want to write a custom JAAS module if the authentication features built into MQ do not support the authentication mechanism we want to use.
Configuration of JAAS modules for AMQP channels is done at a queue manager level. This means that, if you configure a JAAS module for authenticating AMQP connections to the queue manager, the module will apply to all AMQP channels. The name of the channel that has invoked the JAAS module is passed to the module, allowing you to code different JAAS log in behavior for different channels.
Other information is also passed the JAAS module:
- The client ID of the AMQP client that is attempting to authenticate.
- The network address of the AMQP client.
- The name of the channel that invoked the JAAS module.
Procedure
You configure a JAAS configuration module for AMQP channels by completing the following steps:
- Define a jaas.config file containing one or more JAAS module configuration stanzas. The stanza must specify the fully qualified name of the Java class that implements the JAAS javax.security.auth.spi.LoginModule interface.
- A default jaas.config file is shipped with the product and is located in QM_data_directory/amqp/jaas.config.
- A preconfigured stanza named MQXRConfig is already defined in the default jaas.config file.
- Specify the name of the stanza to use for AMQP channels.
- Add a property to the amqp_unix.properties file.
- Add a property to the amqp_win.properties file.
The property has the following form:
com.ibm.mq.MQXR.JAASConfig=JAAS_stanza_namefor example:com.ibm.mq.MQXR.JAASConfig=MQXRConfig- Configure the queue manager environment to include the class of the custom module. The AMQP service must have access to the Java class configured in the JAAS configuration stanza.
You do this by adding the path to the JAAS class to the MQ service.env file. Edit the service.env file in the MQ configuration directory (MQ_config_directory) or the queue manager configuration directory (QM_config_directory) to set the CLASSPATH variable to the location of the JAAS module class.
What to do next
A sample JAAS login module is shipped with the product in the mq_installation_directory/amqp/samples directory. The sample JAAS login module authenticates all client connections, regardless of the username or password the client connects with. We can modify the source code of the sample and recompile it to try authenticating only specific users with a particular password. To configure the AMQP channel on a UNIX system to use the sample JAAS login module shipped with the product:
- Edit the file /var/mqm/qmgrs/QMNAME/amqp/amqp_unix.properties and set the property com.ibm.mq.MQXR.JAASConfig=MQXRConfig.
- Edit the file /var/mqm/service.env and set the property CLASSPATH=mq_installation_location/amqp/samples
The jaas.config file already contains a stanza named MQXRConfig that specifies the sample class samples.JAASLoginModule as the login module class. No changes are required to jaas.config before you try the sample module. Parent topic: Securing AMQP clients
Related information