Asynchronous messaging - security considerations
This topic describes considerations that you should be aware of
if you want to use security for asynchronous messaging with WebSphere Application
Server.
Security for messaging operates as a part of the WebSphere Application
Server global security, and is enabled only when global security is enabled.
When global security is enabled, JMS connections made to the JMS provider
are authenticated, and access to JMS resources owned by the JMS provider are
controlled by access authorizations. Also, all requests to create new connections
to the JMS provider must provide a user ID and password for authentication.
The user ID and password do not need to be provided by the application. If
authentication is successful, then the JMS connection is created; if the authentication
fails then the connection request is ended.
Standard J2C authentication is used for a request to create a new connection
to the JMS provider. You can specify a Component-managed Authentication Alias
and a Container-managed Authentication Alias for each JMS connection factory.
The use of the associated J2C authentication data entries depends on the resource
authentication (res-auth) setting, as follows:
- If your resource authentication (res-auth) is set to Application, set
the alias in the Component-managed Authentication Alias. If the application
that tries to create a connection to the JMS provider specifies a user ID
and password, those values are used to authenticate the creation request.
If the application does not specify a user ID and password, the values defined
by the Component-managed Authentication Alias are used. If the connection
factory is not configured with a Component-managed Authentication Alias, then
you receive a runtime JMS exception when an attempt is made to connect to
the JMS provider.
- If your res-auth is set to Container, set the Container-managed Authentication
Alias. The values defined by the Container-managed Authentication Alias are
used to authenticate the creation request. If you do not specify an alias,
then you receive a runtime JMS exception when an attempt is made to connect
to the JMS provider.
Note:
- User IDs longer than 12 characters cannot be used for authentication with
the embedded WebSphere JMS provider. For example, the default Windows NT user
ID, Administrator, is not valid for use with embedded WebSphere messaging,
because it contains 13 characters. Therefore, an authentication alias for
a WebSphere JMS provider connection factory must specify a user ID no longer
than 12 characters.
- If you want to use a WebSphere MQ JMS Provider JMS connection
when using Bindings transport mode, you set the property Transport type=BINDINGS
on the WebSphere MQ Queue Connection Factory. You must also choose one of
the following options:
- To use security credentials, ensure that the user specified
is the currently logged on user for the WebSphere Application Server process.
If the user specified is not the current logged on user for the WebSphere
Application Server process, then the WebSphere MQ JMS Bindings authentication
throws the error MQJMS2013 invalid security authentication supplied for
MQQueueManager error.
- Do not specify security credentials. On the WebSphere MQ Connection Factory,
ensure that both the Component-managed Authentication Alias and the Container-managed
Authentication Alias properties are not set.
Authorization to access JMS resources owned by the embedded WebSphere JMS
provider is controlled by authorization data in the config\integral-jms-authorisations.xml
file. For information about editing this file, see Configuring authorization security for the embedded WebSphere JMS provider.

Styles of messaging in applications
WebSphere Application Server cloning and WebSphere MQ clustering
Asynchronous messaging with WebSphere - an overview
Searchable topic ID:
cm_secty
Last updated: Jun 21, 2007 9:56:50 PM CDT
WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/cm_secty.html