MSGS0508E errors when WebSphere Application Server Global Security is enabled

Technote (FAQ)
Problem
JMSSecuritySe E MSGS0508E: The JMS Server security service was unable to authenticate userid: <user>
FreePool E J2CA0046E: Method createManagedConnctionWithMCWrapper caught an exception during creation of the ManagedConnection for resource <resource>, throwing ResourceAllocationException. Original exception: javax.resource.spi.ResourceAdapterInternalException: createQueueConnection failed
at com.ibm.ejs.jms.JMSCMUtils.mapToResourceException(JMSCMUtils.java:125)
at com.ibm.ejs.jms.JMSManagedQueueConnection.createConnection(JMSManagedQueueConnection.java:174)
at com.ibm.ejs.jms.JMSManagedConnection.(JMSManagedConnection.java:166)


Next Linked Exception:
javax.jms.JMSSecurityException: MQJMS2013: invalid security authentication supplied for MQQueueManager
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:1685)
at com.ibm.mq.jms.MQConnection.createQMXA(MQConnection.java:1077)
at com.ibm.mq.jms.MQQueueConnection.(MQQueueConnection.java:123)
Cause
When WebSphere® Application Server Global Security is enabled, any attempts to access an embedded messaging resource (such as a queue manager or queue) causes the Java™ Messaging Service (JMS) Server to validate the user who is making the access attempt. This validation is a two stage process:

  • Authenticate the user. To do this, the JMS Security Service checks that the user ID defined in the Connection Factory's Authentication Alias is defined in the User Registry that is being used by the Application Server.
  • Check if the user has the authority to access the JMS resource, by looking at the file:
    WAS_HOME\config\cells\<cell_name>\integral-jms-authorizations.xml.
Solution
To solve this problem, use the Administrative Console that allows you to specify an Authentication Alias when defining Queue and Topic Connection Factories. The alias maps to a username and password. When WebSphere Application Server Global Security is switched on and an application attempts to use the Connection Factory, the username and password are passed to the JMS Security Service.

The Authentication Alias must map to a username and password that are known to the Active User Registry that is used by the Application Server. If the alias does not map to a valid username/password, the exception shown above results.

To find out what Active User Registry is being used:
  1. Start the Application Server.

  2. Open the administrative console, and log in.

  3. In the left pane, expand Security, then click on Global Security

  4. Look at the value of the Active User Registry property.

    Possible values are Local OS, LDAP and Custom. Ensure that the username specified in the alias also exists in this User Registry.











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Java Message Service (JMS)
Operating system(s): Multi-Platform
Software version: 3.5, 4.0, 5.0, 5.1, 6.0
Reference #: 1175157
IBM Group: Software Group
Modified date: 2004-07-26