Java Authentication and Authorization Service (JAAS) custom modules can be used to
authenticate username and password credentials passed to an AMQP channel by an AMQP client when it
connects.
About this task
You might want to use a custom JAAS module if you already use JAAS modules for authentication in
other Java-based systems, and want to reuse those modules for authenticating AMQP connections to MQ.
Alternatively, you might want to write a custom JAAS module if the authentication features built
into MQ do not support the authentication mechanism you want to use.
Configuration of JAAS modules for AMQP channels is done at a queue manager level. This means
that, if you configure a JAAS module for authenticating AMQP connections to the queue manager, the
module will apply to all AMQP channels. The name of the channel that has invoked the JAAS module is
passed to the module, allowing you to code different JAAS log in behavior for different
channels.
Other information is also passed the JAAS module:
- The client ID of the AMQP client that is attempting to authenticate.
- The network address of the AMQP client.
- The name of the channel that invoked the JAAS module.
Procedure
You configure a JAAS configuration module for AMQP channels by completing the
following steps:
-
Define a jaas.config file containing one or more JAAS module configuration
stanzas. The stanza must specify the fully qualified name of the Java class that implements the JAAS
javax.security.auth.spi.LoginModule interface.
- A default jaas.config file is shipped with the product and is located
in QM_data_directory/amqp/jaas.config.
- A preconfigured stanza named
MQXRConfig
is already defined in the default
jaas.config file.
-
Specify the name of the stanza to use for AMQP channels.
- Add a property to the amqp_unix.properties file.
- Add a property to the amqp_win.properties file.
The property has the following
form:
com.ibm.mq.MQXR.JAASConfig=JAAS_stanza_name
for
example:
com.ibm.mq.MQXR.JAASConfig=MQXRConfig
-
Configure the queue manager environment to include the class of the custom module. The AMQP
service must have access to the Java class configured in the JAAS configuration stanza.
You do this by adding the path to the JAAS class to the MQ service.env file.
Edit the service.env file in the MQ configuration directory
(MQ_config_directory) or the queue manager configuration directory
(QM_config_directory) to set the CLASSPATH variable to the location of the JAAS
module class.
What to do next
A sample JAAS login module is shipped with the product in the
mq_installation_directory/amqp/samples directory. The sample JAAS
login module authenticates all client connections, regardless of the username or password the client
connects with. You can modify the source code of the sample and recompile it to try
authenticating only specific users with a particular password. To configure the AMQP channel on a
UNIX system to use the sample JAAS login module shipped with the product:
- Edit the file /var/mqm/qmgrs/QMNAME/amqp/amqp_unix.properties and set the
property
com.ibm.mq.MQXR.JAASConfig=MQXRConfig
.
- Edit the file /var/mqm/service.env and set the property
CLASSPATH=mq_installation_location/amqp/samples
The jaas.config file already contains a stanza named
MQXRConfig
that specifies the sample class samples.JAASLoginModule
as the login module class. No changes are required to jaas.config
before you try
the sample module.