Destination based security and/or JNDI based security

• For Destination Based Security, set the following parameters:
  • sci.queuebasedsecurity.userid=<username configured in the APPLICATION_SERVER and assigned to the queue or topic>
  • sci.queuebasedsecurity.password=<password for the above username as configured for the APPLICATION_SERVER
    Note: Oracle WebLogic 12.2.1.3 only supports JNDI based JMS security. If destination based security is enabled, it is altogether bypassed. Therefore, you must configure JNDI based JMS security if using Oracle WebLogic 12.2.1.3.
    Note: JBoss does not support destination based security for JMS service. Only JNDI based security is supported.
    Note: For JBoss deprecation, see Deprecated components in Sterling Order Management System Software.
• For JNDI Based security set the following parameters:
  • java.naming.security.principal=<user ID configured in the APPLICATION_SERVER and assigned to the JNDI>
  • java.naming.security.credentials=<password for the above user ID as configured for the APPLICATION_SERVER>
    Note: For more information about the authentication mechanism, setting up queues and topics, and Connection Factory, refer to individual Application Server's documentation.

For IBM WebSphere and IBM WebSphere MQ, set up the desired forms of authentication and encryption where appropriate. Additionally, modify the Java™ commands as described below to suit the desired goal.

Before modifying, ensure that you have defined the following variables in your environment:

• WAS_HOME refer to the installation directory of the IBM WebSphere software
• MQ_HOME refers to the installation location of the IBM WebSphere MQ software.
• PROFILE_NAME refers to the name of the profile in which you created the server.
• To allow agents to be authenticated to IBM WebSphere JNDI, add the following definitions:
  • -Djava.ext.dirs=<CLASSPATH>, where the CLASSPATH should contain the following directories:
    • $MQ_HOME\java\lib
    • $WAS_HOME\AppServer\java\jre\lib\ext
    • $WAS_HOME\AppServer\java\jre\lib
    • $WAS_HOME\AppServer\lib
    • $WAS_HOME\AppServer\lib\ext
    • $WAS_HOME\AppServer\properties
    • $WAS_HOME\AppServer\profiles\<PROFILE_NAME>\properties
  • com.ibm.CORBA.ConfigURL should be set to the full path to the sas props file that you want to use such as -Dcom.ibm.CORBA.ConfigURL=$WAS_HOME/AppServer/profiles/<PROFILE_NAME>/properties/sas.client.props.

    The SAS props file is obtained from the IBM WebSphere installation. You need to modify this text file to contain the username and password to be used for authentication to the IBM WebSphere (corbaloc based) JNDI.

    Note: For more information about how to set any of the above mentioned defines refer to IBM documentation. In specific, read the IBM WebSphere documentation to understand how to enable and configure Global security.
• To enable SSL encryption on the transmission of JMS messages to MQ, enable SSL on the channel to which your agents and services are connected. Create the Connection Factory using the equivalent SSLCIPHERSPEC. On the java command line specify the following definitions:
  • javax.net.ssl.trustStore
  • javax.net.ssl.keyStorePassword
  • javax.net.ssl.KeyStore
    Note: Refer to the IBM WebSphere MQ documentation to learn how to turn on the SSL on the server channel to which the Sterling Order Management System Software agents and services connect. For more information about how to use the SSLCIPHERSPEC option while creating the Connection Factory, see the IBM documentation.

For JBoss, before modifying, ensure that you have added following jars to the CLASSPATH:

• JBOSS_HOME refer to the installation directory of the JBoss software
• To allow agents to be authenticated to JBoss JNDI, add the following definitions:
  • -Djava.ext.dirs=<CLASSPATH>, where the CLASSPATH should contain the following directories:
    • <JBOSS_HOME>/client/jbossall-client.jar
    • <JBOSS_HOME>/server/<server-home>/jboss-aop-jdk50.deployer/jboss-aop-jdk50.jar
    • <JBOSS_HOME>/jboss-messaging-client.jar