IBM MQ server: Connection and authentication

Each IBM MQ server definition includes the connection properties and authentication settings that service integration uses to connect to the associated IBM MQ queue manager or queue-sharing group, either for resource discovery or for messaging.

Connection

Service integration connects to the IBM MQ network in the following situations:
  • When, as part of the process of creating a IBM MQ server by using the administrative console, the automatic resource discovery process runs to capture resource information direct from IBM MQ. The wsadmin commands do not support automatic discovery of resources.
  • When the IBM MQ server is used to pass messages between service integration and IBM MQ.
The connection access path is determined by the host, port, transport chain and IBM MQ connection channel that you specify when you create the IBM MQ server definition. You get this information from the IBM MQ system administrator. The connection access path is also affected by the connection mode that you specify:
  • You can use client transport mode to establish a TCP/IP network connection between service integration and IBM MQ.
  • If WebSphere® Application Server and IBM MQ are co-located on the same system (or, for z/OS® systems, on the same partition of the same system) it is more efficient to use bindings transport mode to connect between service integration and IBM MQ.

如需用來連接 IBM MQ for z/OS 之機制的相關資訊,請參閱 IBM MQ 資訊中心的 z/OS System Setup Guide

Authentication

The IBM MQ system administrator will probably want service integration to authenticate with IBM MQ whenever it connects. This happens whenever message data needs to be exchanged with a queue point or a mediation point that is assigned to a IBM MQ server bus member, and when the automated resource discovery process runs while you are configuring a IBM MQ server by using the administrative console.

The IBM MQ system administrator might also want to set up two different user accounts on the IBM MQ system: one with only the privileges needed for resource discovery, and one with only the privileges needed for messaging. The IBM MQ server definition supports this requirement by allowing you to configure the MQ server with two authentication aliases, corresponding to these two accounts.

Authentication aliases are restricted to a maximum 12 characters in length, because the user ID that IBM MQ uses for checking the identity of new connections also has this restriction. If authentication aliases exceed 12 characters in length, they are truncated.

如果您利用「資源存取控制機能 (RACF®)」作為 IBM MQ for z/OS 系統上的安全管理程式,且使用連結傳輸模式,您必須用大寫字元來指定鑑別別名的使用者名稱和密碼。 如果使用 RACF 和用戶端傳輸模式,您可以用大寫或小寫字元來指定使用者名稱和密碼。

Where an authentication alias exists, the user name and password it contains are examined by IBM MQ by using a IBM MQ channel security exit. IBM MQ for z/OS provides a sample security exit CSQ4BCX3, which demonstrates how you can authenticate based on this information.

When messages are sent to IBM MQ for resource discovery, the MQPMO_SET_IDENTITY_CONTEXT option is used. The credentials used to establish a messaging connection must have authority to assert this.

The connection mode you use for connecting to IBM MQ affects which credentials are used:
  • For a client transport mode connection, the user ID and password from the authentication alias are used by IBM MQ. If an authentication alias is not specified in the IBM MQ server definition, IBM MQ is presented with an empty string for both the user ID and password.
  • For a bindings transport mode connection, the credentials associated with the application server processes are used for authentication by IBM MQ. Therefore service integration instructs the application server processes to switch credentials and use the user ID and password that exist in the relevant IBM MQ server authentication alias. This in turn requires that the application server processes start with sufficient privileges to connect and perform the switch. If an authentication alias is not specified in the IBM MQ server definition, a switch of credentials is not attempted and the original credentials of the application server process are used. [z/OS]For resource discovery the credentials are those of a servant address space in a single server configuration, and those of the deployment manager address space in a network-deployment configuration. For messaging work the credentials are those of the control region adjunct address space.

Overriding the connection and authentication settings

When you add the IBM MQ server definition to a service integration bus to make it a bus member, you can override the server settings and authentication alias used for messaging, with the connection settings and authentication alias used by the bus. You can use this option to create a bus-specific instance of that server and is useful in a multiple bus configuration. Typically you would do this to differentiate connections from different buses and, potentially, to apply different security settings.


指出主題類型的圖示 概念主題



時間戳記圖示 前次更新: July 9, 2016 11:10
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=cjfp0018_
檔名:cjfp0018_.html