Client authentication on a service integration bus
When a client application attempts to connect to a messaging engine on a secure service integration bus, the client application provides credentials to the server that are checked against the user registry.
Client authentication is one security mechanism for protecting the bus from unauthorized access, alongside authorization, and transport encryption. Client authentication is effective only when administrative security is enabled on WebSphere® Application Server, and messaging security is enabled on the bus.
- User ID and password
- X509 certificate
WebSphere Application Server Version 6 supports different types of user registry, including federated repositories.
WebSphere Application Server Version 7.0 or later can use the user registry from the administrative domain, or the bus or cell domains.
The bus security administrator checks that the credentials for the connecting client are valid in the user registry for the cell hosting the bus. If the server is enabled to allow a JMS client application to use Secure Sockets Layer (SSL) client authentication, a stand-alone Lightweight Directory Access Protocol (LDAP) user registry is required.
When application code in an EJB or web container invokes the JMS client, and accesses it as a J2EE Connector Architecture (JCA) resource, authentication is determined by whether the application code has been configured to allow container-managed or application-managed sign-on to resources. For further details, see Java EE connector security.
If an application fails to authenticate, a JMSSecurityException is thrown.