Securing messaging
The steps to take to secure asynchronous messaging.
About this task
Security for messaging is enabled only when WebSphere® Application Server administrative security is enabled. In this case:
- JMS connections made to a messaging provider are authenticated.
- Access to JMS resources owned by a messaging provider is controlled by access authorizations.
- Requests to create new connections to a messaging provider must include a user ID and password for authentication.
- The user ID and password do not have to be provided by the application.
Standard Java™ EE Connector Architecture (JCA) authentication is used for a request to create a new connection to a messaging provider. If authentication is successful, the JMS connection is created; if authentication fails, the connection request is ended.
- User IDs that are longer than
12 characters cannot be used for
authentication with a WebSphere MQ network. For
example, the default Windows NT user
ID
Administrator
is not valid for use in this context because it contains 13 characters. ![[z/OS]](../images/ngzos.svg)
Users
that exploit the connection thread
identity support do not have to provide a user ID and password
for authentication.- In
addition to the authorization needed for creating a connection to
a messaging provider, you also typically need authorization to access
specific JMS resources associated with that provider. For example,
if you are using the WebSphere MQ messaging provider
to connect to a WebSphere MQ network, you might also need
permission from the WebSphere MQ network to write
to a given queue.
- To enable the WebSphere MQ messaging provider to connect in bindings transport mode to WebSphere MQ, you set
theTransport type parameter on the WebSphere MQ queue connection factory to
BINDINGS, and you configure the WebSphere MQ messaging provider
with native libraries information.
![[AIX Solaris HP-UX Linux Windows]](../images/ngdist.svg)
![[IBM i]](../images/ngibmi.svg)
You must also choose one of the
following options: - If you are using security credentials (user ID and password), ensure that the user specified is the current logged-on user for the WebSphere Application Server process, otherwise the following WebSphere MQ JMS Bindings authentication exception message is generated: MQJMS2013 invalid security authentication supplied for MQQueueManager.
- If you are not using security credentials, ensure that neither the Component-managed Authentication Alias nor the Container-managed Authentication Alias properties are set on the connection factory.
To secure your asynchronous messaging, complete one or more of the following steps:
Procedure
- Use JCA authentication to create a new connection to the
messaging provider.
If the resource authentication (res-auth) property is set to Application, set the Component-managed Authentication Alias property on the connection factory. If the application that tries to create a connection to the messaging provider specifies a user ID and password, those values are then used to authenticate the creation request. Otherwise, the values defined by the Component-managed Authentication Alias property are used. If you do not set the Component-managed Authentication Alias property on the connection factory, a runtime JMS exception message is generated when an attempt is made to connect to the messaging provider.
If
the res-auth property is set to Container, set the Container-managed
Authentication Alias property on the connection factory,
and specify the user ID and password within this alias. If you are
using bindings transport mode, then you can use the connection thread identity support instead
of specifying a container-managed alias.