Enabling SSL for the Real-time nodes

Use optional authentication services between JMS clients and Real-timeInput and Real-timeOptimizedFlow nodes.

In a default configuration, SSL authentication services are disabled.

To configure the product to use the SSL authentication services, complete the following steps:

Configuring the User Name Server

The User Name Server distributes to the brokers passwords that are required to support these authentication protocols.

To configure the User Name Server to support authentication, specify the following two parameters on either the mqsicreateusernameserver or the mqsichangeusernameserver command:

  • AuthProtocolDataSource describes the location of an local file that contains the information that is required to support the authentication protocols.
  • The -j flag indicates whether the file that is pointed to by theAuthProtocolDataSource parameter contains group and group membership information in addition to password information.

Use the -d flag on the mqsichangeusernameserver command to disable this option.

Configuring a broker

Configure a broker to support WebSphere Event Broker authentication services. Specify two authentication and access control parameters and use the workbench to configure the appropriate Real-timeInput nodes and the sets of protocols that are to be supported on the broker.

The following steps show you how to do this.

  1. Switch to the Broker Application Development perspective.
  2. For each message flow in the Message Flow Topology:
    1. Select the Real-timeInput or Real-timeOptimizedFlow node to open the Properties view, or right-click the node and click Properties to open the Properties dialog. The node properties are displayed.
    2. Select Authentication.
  3. For each broker in the Broker Topology:
    1. Select the broker to open the Properties view, or right-click the broker and click Properties to open the Properties dialog. The broker properties are displayed.
    2. Enter the required value in Authentication Protocol Type.

      Choose any combination of the options P, M, S, and R; for example, S, SR, RS, R, PS, SP, PSR, SRM, MRS, and RSMP are all valid combinations of options.

      The order in which you specify the options is significant; the broker chooses the first option that the client supports. If you want the broker always to support the strongest protocol that the client supports, choose RSMP.

    3. If you have chosen S or R as one of the options in Authentication Protocol Type, specify the SSL Key Ring File Name and the SSL Password File Name.
    4. Click OK.
    5. Use the mqsicreatebroker or mqsichangebroker command, with the following two parameters, to configure the broker:
      UserNameServerQueueManagerName (-s)
      This parameter defines the name of the queue manager that it associated with the User Name Server. Specify this parameter if you require authentication services, publish/subscribe access control services, or both.
      Publish/Subscribe Access Control Flag (-j)
      Set this flag in addition to specifying the UserNameServerQueueManagerName parameter if you want to use publish/subscribe access control services.

      Use of the authentication services in the broker is enabled at the IP input node level, not by a parameter on these commands.

Sample password files

Two sample files, password.dat and pwgroup.dat, are supplied with WebSphere Event Broker.

  • pwgroup.dat is a sample file that can be used when you set the -j flag.
  • password.dat is a sample file that can be used in the default case.
The file password.dat has the following layout:
# This is a password file.

# Each line contains two required tokens delimited by
# commas. The first is a user ID, the second is that user's
# password.

#USERNAME PASSWORD
========================
subscriber,subpw
admin,adminpw
publisher,pubpw 

This file complements the user and group information that is retrieved by the User Name Server from the operating system. User names that are defined in the file, but are not defined in the operating system, are treated as unknown by the broker domain. User names that are defined in the operating system, but are not defined in the password file, are denied access to the system.

The file pwgroup.dat contains group information in addition to user and password information. Each user entry includes a list of group names that specify the groups that contain the user.

The file pwgroup.dat has the following layout:
#This is a password file.
#Each line contains two or more required tokens delimited by
#commas.The first is a user ID and the second is that user's
#password. All subsequent tokens 
#specify the set of groups that the user belongs to.  

#USERNAME PASSWORD  GROUPS 
subscriber,subpw,group1,group2,group3 
admin,adminpw,group2 
publisher,pubpw,group2,group4 
As mentioned above, this file can be used to provide the only source of user, group, and password information for the broker domain.

To deploy updated user and password information to the broker network if this information is drawn from an operating system file, stop the User Name Server and the brokers, update the file, and then restart the User Name Server and the brokers.

If passwords are drawn from the operating system, updates are automatically distributed to the brokers. Use normal operating system management tools to change users or passwords.

Authentication in the JMS client

For client applications that use WebSphere MQ classes for Java™ Message Service Version 5.3 before CSD4, the client application always has an authentication protocol level of PM. The client application and broker negotiate on the choice of protocol for a session. Where the broker supports both protocols (that is, you have set PM or MP in the workbench definition of a broker), the first protocol specified in the workbench is chosen.

For client applications that use WebSphere MQ classes for Java Message Service Version 5.3, CSD10 (plus APAR IC47044) or CSD11 or later, or WebSphere MQ classes for Java Message Service Version 6.0 or later, the client application supports two levels of authentication.

You can configure a TopicConnectionFactory to support either a MQJMS_DIRECTAUTH_BASIC authentication mode or a MQJMS_DIRECTAUTH_CERTIFICATE authentication mode. The MQJMS_DIRECTAUTH_BASIC authentication mode is equivalent to a level of PM, and the MQJMS_DIRECTAUTH_CERTIFICATE authentication mode is equivalent to a level of SR.

If you have successfully configured authentication services for a Real-timeInput node, a JMS client application must specify its credentials when creating a connection. To make a connection for this configuration, the JMS client application supplies a user ID and password combination to the TopicConnectionFactory.createTopicConnection method; for example:
factory.createTopicConnection("user1", "user1pw");

If the application does not specify these credentials, or specifies them incorrectly, it receives a JMS wrapped exception containing the MQJMS error text.

Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2009Copyright IBM Corporation 1999, 2009. All Rights Reserved.
Last updated : 2009-01-07 15:41:00

ap12233_