Use optional authentication services between JMS clients and Real-timeInput and Real-timeOptimizedFlow nodes.
In a default configuration, SSL authentication services are disabled.
To configure the product to use the SSL authentication services, complete the following steps:
The User Name Server distributes to the brokers passwords that are required to support these authentication protocols.
To configure the User Name Server to support authentication, specify the following two parameters on either the mqsicreateusernameserver or the mqsichangeusernameserver command:
Use the -d flag on the mqsichangeusernameserver command to disable this option.
Configure a broker to support WebSphere Message Broker authentication services. Specify two authentication and access control parameters and use the workbench to configure the appropriate Real-timeInput nodes and the sets of protocols that are to be supported on the broker.
The following steps show you how to do this.
Two sample files, password.dat and pwgroup.dat, are supplied with WebSphere Message Broker.
# This is a password file. # Each line contains two required tokens delimited by # commas. The first is a user ID, the second is that user's # password. #USERNAME PASSWORD ======================== subscriber,subpw admin,adminpw publisher,pubpw
This file complements the user and group information that is retrieved by the User Name Server from the operating system. User names that are defined in the file, but are not defined in the operating system, are treated as unknown by the broker domain. User names that are defined in the operating system, but are not defined in the password file, are denied access to the system.
The file pwgroup.dat contains group information in addition to user and password information. Each user entry includes a list of group names that specify the groups that contain the user.
#This is a password file. #Each line contains two or more required tokens delimited by #commas.The first is a user ID and the second is that user's #password. All subsequent tokens #specify the set of groups that the user belongs to. #USERNAME PASSWORD GROUPS subscriber,subpw,group1,group2,group3 admin,adminpw,group2 publisher,pubpw,group2,group4As mentioned above, this file can be used to provide the only source of user, group, and password information for the broker domain.
To deploy updated user and password information to the broker network if this information is drawn from an operating system file, stop the User Name Server and the brokers, update the file, and then restart the User Name Server and the brokers.
If passwords are drawn from the operating system, updates are automatically distributed to the brokers. Use normal operating system management tools to change users or passwords.
For client applications that use WebSphere MQ classes for Java™ Message Service Version 5.3 before CSD4, the client application always has an authentication protocol level of PM. The client application and broker negotiate on the choice of protocol for a session. Where the broker supports both protocols (that is, you have set PM or MP in the workbench definition of a broker), the first protocol specified in the workbench is chosen.
For client applications that use WebSphere MQ classes for Java Message Service Version 5.3, CSD10 (plus APAR IC47044) or CSD11 or later, or WebSphere MQ classes for Java Message Service Version 6.0 or later, the client application supports two levels of authentication.
You can configure a TopicConnectionFactory to support either a MQJMS_DIRECTAUTH_BASIC authentication mode or a MQJMS_DIRECTAUTH_CERTIFICATE authentication mode. The MQJMS_DIRECTAUTH_BASIC authentication mode is equivalent to a level of PM, and the MQJMS_DIRECTAUTH_CERTIFICATE authentication mode is equivalent to a level of SR.
factory.createTopicConnection("user1", "user1pw");
If the application does not specify these credentials, or specifies them incorrectly, it receives a JMS wrapped exception containing the MQJMS error text.