JMS security exceptions when starting with Global Security enabled
 Technote (troubleshooting)
 
Problem(Abstract)
When Global Security is enabled in IBM® WebSphere® Application Server V5.0 with Embedded Messaging, the following errors may occur when using a Queue Connection Factory (QCF) or Topic Connection Factory (TCF) to connect to a queue or topic:

MSGS0508E: The JMS Server security service was unable to authenticate userid: {0}

MSGS0509E: The JMS Server security service was unable to authorize userid {0} to access resource {1} with {2} permission

These errors would not occur if the full WebSphere MQ product or a third-party Messaging product were used.
 
Cause
When Global Security is enabled, the Embedded JMS Security service will attempt to authorize the userid specified in the J2C Authentication Alias in the Queue or Topic Connection Factory definition. The MSGS0508E or MSGS0509E errors may occur for the following circumstances:
  • There is no Container-managed or Component-managed J2C Authentication Alias defined on the QCF or TCF.
  • A J2C Authentication Alias has been defined on the QCF or TCF, but the user id specified in the Authentication Alias does not have the proper permissions to access the resource. This would only occur if the integral-jms-authorizations.xml file has been modified; by default, permission is granted for all user ids to access all queues and topics.
  • If the user id listed in the error message is blank or null, this is due to an existing defect that is fixed by APAR PQ89413. The fix is included in Application Server versions 5.1.0.5 and 5.1.1.
 
Resolving the problem
To resolve the problem:
  • Ensure that a Container-managed or Component-managed J2C Authentication Alias is specified on the QCF or TCF.
  • Ensure that the proper permissions are granted in the integral-jms-authorizations.xml file for the user id that is being used. The integral-jms-authorizations.xml file is located in the <install_root>/config/cells/<Cell Name> directory. Instructions on how to edit this file are located in the Application Server Information Center:

    For V5.0:
    Configuring authorization security for the embedded WebSphere JMS provider

    For V5.1:
    Configuring authorization security for the embedded WebSphere JMS provider

  • If the user id listed in the error message is blank, upgrade to version of WebSphere Application Server that includes the APAR fix for PQ89413.
    • For Application Server V5.1, upgrade to Application Server versions 5.1.0.5 or 5.1.1 or later.
    • For Application Server V5.0.2, upgrade to Application Server V5.0.2.7 or later.
 
Related information
WebSphere Application Server Recommended Fixes
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Java Message Service (JMS)
Operating system(s): Windows
Software version: 5.1.1
Software edition:
Reference #: 1177017
IBM Group: Software Group
Modified date: Aug 17, 2004