WebSphere Message Broker authentication services provide an optional facility that is supported between JMS clients and Real-timeInput nodes of WebSphere Message Broker.
In a default configuration, authentication services are disabled.
To configure the product to use the authentication services, complete the following steps.
The User Name Server distributes to the brokers the information (specifically, passwords) that is required to support these authentication protocols.
To configure the User Name Server to support authentication, two parameters are provided for the mqsicreateusernameserver and mqsichangeusernameserver commands.
The first parameter, AuthProtocolDataSource, describes the location of an operating system file that contains the information that is required to support the authentication protocols.
The second parameter, the -jflag, indicates whether the file pointed to by theAuthProtocolDataSource parameter contains group and group membership information as well as password information.
The mqsichangeusernameserver command also supports a-d flag to disable the option.
Configure a broker to support WebSphere Message Broker authentication services. You need to specify two authentication and access control parameters and use the workbench to configure the appropriate Real-timeInput nodes and the sets of protocols that are to be supported on the broker.
The following steps show you how to do this.
Two sample files, named password.dat and pwgroup.dat, are shipped with WebSphere Message Broker.
pwgroup.dat is a sample file that can be used when you set the -j flag.
password.dat is a sample file that can be used in the default case.
# This is a password file. # Each line contains two required tokens delimited by # commas. The first is a user ID, the second is that user's # password. #USERNAME PASSWORD ======================== subscriber,subpw admin,adminpw publisher,pubpwThis file complements the user and group information drawn by the User Name Server from the operating system. User names that are defined in the file, but not the operating system, are treated as unknown by the broker domain. User names that are defined in the operating system, but are not defined in the password file, are denied access to the system.
pwgroup.dat contains group information as well as user and password information. Each user entry includes a list of group names that specify the groups that contain the user.
#This is a password file. #Each line contains two or more required tokens delimited by #commas.The first is a user ID and the second is that user's #password. All subsequent tokens #specify the set of groups that the user belongs to. #USERNAME PASSWORD GROUPS subscriber,subpw,group1,group2,group3 admin,adminpw,group2 publisher,pubpw,group2,group4As mentioned above, this file can be used to provide the only source of user, group, and password information for the broker domain.
To deploy updated user and password information to the broker network if this information is drawn from an operating system file, stop the User Name Server and brokers, update the file, and then restart the User Name Server and brokers.
If passwords are drawn from the operating system, updates are automatically distributed to the brokers. Use normal operating system management tools to change users or passwords.
For client applications that use WebSphere MQ classes for Java Message Service Version 5.3 before CSD4, the client application always has an authentication protocol level of PM. The client application and broker negotiate on the choice of protocol for a session. Where the broker supports both protocols (that is, you have set PM or MP in the workbench definition of a broker), the first protocol specified in the workbench is chosen.
For client applications that use WebSphere MQ classes for Java Message Service Version 5.3, CSD 5 or later, the client application supports two levels of authentication.
A TopicConnectionFactory can be configured to support either a MQJMS_DIRECTAUTH_BASIC authentication mode or a MQJMS_DIRECTAUTH_CERTIFICATE authentication mode. The MQJMS_DIRECTAUTH_BASIC authentication mode is equivalent to a level of PM and the MQJMS_DIRECTAUTH_CERTIFICATE authentication mode is equivalent to a level of SR.
factory.createTopicConnection("user1", "user1pw");
If credentials are not specified, or are specified incorrectly, the application receives a JMS wrapped exception containing the MQJMS error text.
Notices |
Trademarks |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
aq13230_ |