Using authentication aliases with enterprise applications
When an enterprise application running inside of WebSphere® Application Server attempts to create a JMS connection to IBM® MQ, the application looks up an IBM MQ messaging provider connection factory definition from the Java Naming Directory Interface (JNDI) repository of the application server.
ConnectionFactory.createConnection()ConnectionFactory.createConnection(String username, String password)
If the connection factory has been configured with a J2C authentication alias defined, then the user name and password in the authentication alias can be flowed down to IBM MQ when the connection factory is used to create a connection.
Connection factories and authentication aliases
IBM MQ messaging provider connection factories contain information on how to connect to IBM MQ queue managers. Enterprise applications running inside of WebSphere Application Server can use the connection factories to create JMS connections to IBM MQ.
WebSphere Application Server stores connection factories definitions in a repository that can be accessed using the JNDI. When a connection factory is created, the connection factory is given a JNDI name to uniquely identify it at the application server scope (either the Cell, Node or Server scope) at which it has been defined.
For example, an IBM MQ messaging provider connection factory defined at the WebSphere Application Server Cell scope contains information on how to connect to the queue manager (myQM) using the BINDINGS transport. This connection factory is given the JNDI name jms/myCF to uniquely identify it.
Connection factories can also be configured to use an authentication alias. Authentication aliases map to a user name and password combination. Depending on how the connection factory is used, the user name and password in the authentication alias might, or might not, be flowed down to IBM MQ when the JMS connection is created.
No checks were made to validate the password that was specified. In order to perform an authentication check, and validate that the user identifier and password match, you needed to write an IBM MQ channel security exit. Details on how to do this can be found in Channel security exit programs.
From IBM MQ 8.0, the queue manager checks the password in addition to the user name.
Using the connection factory
Using the CLIENT transport
Connection factories that are configured to use the CLIENT transport must specify which IBM MQ server connection channel (SVRCONN) they are going to use to connect to the queue manager.
If the IBM MQ channel agent user identifier (MCAUSER) property remains blank for the channel that the connection factory has been configured to use, then the connection factory can be used with either a direct look up, or indirect look up.
If the MCAUSER property is set to a user identifier, this user identifier is passed down to IBM MQ when the connection factory is used to create a connection to IBM MQ, regardless of whether the enterprise application is using a direct or indirect look up.
Summary tables
The following tables summarize what user identifiers are flowed down to IBM MQ when the BINDINGS transport, and the CLIENT transport, respectively are used:
| Configuration | Application calls
ConnectionFactory.createConnection() |
Application calls ConnectionFactory.createConnection(String username,
String password) |
|---|---|---|
| Application's deployment descriptor does not contain a Resource Reference for the connection factory | The user identifier for the application server process is flowed down to IBM MQ. | The user identifier and password that were passed into the
ConnectionFactory.createConnection(String username, String password) method are
flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory and the res-auth property is set to "Application" | The user identifier for the application server process is flowed down to IBM MQ. | The user identifier and password that were passed into the
ConnectionFactory.createConnection(String username, String password) method are
flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory and the res-auth property is set to "Container" | The user identifier and password specified in the authentication alias for the connection factory are flowed down to IBM MQ. | The user identifier and password specified in the authentication alias for the connection factory are flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property set to "Container" and the application has been configured with an authentication alias | The user identifier and password specified in the authentication alias that the application has been configured to use are flowed down to IBM MQ. | The user identifier and password specified in the authentication alias that the application has been configured to use are flowed down to IBM MQ. |
| Configuration | Application calls
ConnectionFactory.createConnection() |
Application calls ConnectionFactory.createConnection(String username,
String password) |
|---|---|---|
| Application's deployment descriptor does not contain a Resource Reference for the connection factory and the connection factory is configured to use an IBM MQ channel that has the MCAUSER property unset | The user identifier for the application server process is flowed down to IBM MQ. | The user identifier and password that were passed into the
ConnectionFactory.createConnection(String username, String password) method are
flowed down to IBM MQ. |
| Application's deployment descriptor does not contain a Resource Reference for the connection factory and the connection factory is configured to use an IBM MQ channel that has the MCAUSER property set to a user identifier | The user identifier specified by the MCAUSER property on the IBM MQ channel the connection factory is configured to use is flowed down to IBM MQ. | The user identifier specified by the MCAUSER property on the IBM MQ channel the connection factory is configured to use is flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to Application and the connection factory is configured to use an IBM MQ channel that has the MCAUSER property unset | The user identifier for the application server process is flowed down to IBM MQ. | The user identifier and password that were passed into the
ConnectionFactory.createConnection(String username, String password) method are
flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to Application and the connection factory is configured to use an IBM MQ channel that has the MCAUSER property set to a user identifier | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to"Container and the connection factory is configured to use an IBM MQ channel that has the MCAUSER property unset | The user identifier and password specified in the authentication alias for the connection factory are flowed down to IBM MQ. | The user identifier and password specified in the authentication alias for the connection factory are flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to"Container and the connection factory is configured to use an IBM MQ channel that has the MCAUSER property set to a user identifier | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to"Container and the application has been configured with an authentication alias and the connection factory is configured to use an IBM MQ channel that has the MCAUSER property unset | The user identifier and password specified in the authentication alias that the application has been configured to use are flowed down to IBM MQ. | The user identifier and password specified in the authentication alias that the application has been configured to use are flowed down to IBM MQ. |
| Application's deployment descriptor contains a Resource Reference for the connection factory which has the res-auth property is set to Container and the application has been configured with an authentication alias and the connection factory is configured to use an IBM MQ channel that has the MCAUSER set to a user identifier | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. | The user identifier specified by the MCAUSER property on the IBM MQ channel which the connection factory is configured to use is flowed down to IBM MQ. |