WebSphere Message Brokers
File: aq13230_
Writer: Terry Cowling

Task topic

This build: July 31, 2007 21:35:32

Using authentication for real-time connections

WebSphere Message Broker authentication services provide an optional facility that is supported between JMS clients and Real-timeInput nodes of WebSphere Message Broker.

In a default configuration, authentication services are disabled.

To configure the product to use the authentication services, complete the following steps.

Configuring the User Name Server

The User Name Server distributes to the brokers the information (specifically, passwords) that is required to support these authentication protocols.

To configure the User Name Server to support authentication, two parameters are provided for the mqsicreateusernameserver and mqsichangeusernameserver commands.

The first parameter, AuthProtocolDataSource, describes the location of an operating system file that contains the information that is required to support the authentication protocols.

The second parameter, the -jflag, indicates whether the file pointed to by theAuthProtocolDataSource parameter contains group and group membership information as well as password information.

The mqsichangeusernameserver command also supports a-d flag to disable the option.

Configuring a broker

Configure a broker to support WebSphere Message Broker authentication services. You need to specify two authentication and access control parameters and use the workbench to configure the appropriate Real-timeInput nodes and the sets of protocols that are to be supported on the broker.

The following steps show you how to do this.

Sample password files

Two sample files, named password.dat and pwgroup.dat, are shipped with WebSphere Message Broker.

pwgroup.dat is a sample file that can be used when you set the -j flag.

password.dat is a sample file that can be used in the default case.

password.dat has the following layout:
# This is a password file.

# Each line contains two required tokens delimited by
# commas. The first is a user ID, the second is that user's
# password.

#USERNAME PASSWORD
========================
subscriber,subpw
admin,adminpw
publisher,pubpw 
This file complements the user and group information drawn by the User Name Server from the operating system. User names that are defined in the file, but not the operating system, are treated as unknown by the broker domain. User names that are defined in the operating system, but are not defined in the password file, are denied access to the system.

pwgroup.dat contains group information as well as user and password information. Each user entry includes a list of group names that specify the groups that contain the user.

pwgroup.dat has the following layout:
#This is a password file.
#Each line contains two or more required tokens delimited by
#commas.The first is a user ID and the second is that user's
#password. All subsequent tokens 
#specify the set of groups that the user belongs to.  

#USERNAME PASSWORD  GROUPS 
subscriber,subpw,group1,group2,group3 
admin,adminpw,group2 
publisher,pubpw,group2,group4 
As mentioned above, this file can be used to provide the only source of user, group, and password information for the broker domain.

To deploy updated user and password information to the broker network if this information is drawn from an operating system file, stop the User Name Server and brokers, update the file, and then restart the User Name Server and brokers.

If passwords are drawn from the operating system, updates are automatically distributed to the brokers. Use normal operating system management tools to change users or passwords.

Authentication in the JMS client

For client applications that use WebSphere MQ classes for Java Message Service Version 5.3 before CSD4, the client application always has an authentication protocol level of PM. The client application and broker negotiate on the choice of protocol for a session. Where the broker supports both protocols (that is, you have set PM or MP in the workbench definition of a broker), the first protocol specified in the workbench is chosen.

For client applications that use WebSphere MQ classes for Java Message Service Version 5.3, CSD 5 or later, the client application supports two levels of authentication.

A TopicConnectionFactory can be configured to support either a MQJMS_DIRECTAUTH_BASIC authentication mode or a MQJMS_DIRECTAUTH_CERTIFICATE authentication mode. The MQJMS_DIRECTAUTH_BASIC authentication mode is equivalent to a level of PM and the MQJMS_DIRECTAUTH_CERTIFICATE authentication mode is equivalent to a level of SR.

If authentication services have been successfully configured for a Real-timeInput node, a JMS client application needs to specify its credentials when creating a connection. To do this, the JMS client application supplies a user/password combination to the TopicConnectionFactory.createTopicConnection method; for example:
factory.createTopicConnection("user1", "user1pw");

If credentials are not specified, or are specified incorrectly, the application receives a JMS wrapped exception containing the MQJMS error text.

Related concepts
Authentication services
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:35:32

aq13230_ This topic's URL is: