| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| JMSOutput - different CF's |
« View previous topic :: View next topic » |
| Author |
Message
|
| agulowaty |
 Posted: Wed Aug 21, 2013 5:57 am Post subject: JMSOutput - different CF's |
 |
|
Newbie
Joined: 21 Aug 2013
Posts: 8
|
Hi,
I'm trying to configure JMSOutput node in my message flow. The external interface requirement is that Destination lookup should be done via file-based com.sun.jndi.fscontext.RefFSContextFactory, but connection factory used to create JMS session is stored on LDAP (and obtained via: com.sun.jndi.ldap.LdapCtxFactory).
Could you suggest how to configure two different factories for JMSOutput node?
Best regards. |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Wed Aug 21, 2013 6:03 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Do your own work. Learn to use Google. Take the training class.
http://publib.boulder.ibm.com/infocenter/wmbhelp/v8r0m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac28605_.htm
| Quote: |
Securing JMS connections and JNDI lookups
If you want additional security for JMS connectivity and the JMS nodes or SOAP nodes using JMS transport, two configuration options are supported.
When you include JMS nodes in your message flow, you can optionally secure JMS connection resources. You can secure one, both, or neither of these options, depending on the level of security and access that you want to enforce.
To secure a JMS connection:
Specify the Connection Factory Name property on the node. You must set this property for every node using JMS transport.
Use the mqsisetdbparms command to authorize the user ID and password for the specified connection factory. For example:
mqsisetdbparms MyBroker1 -n jms::tcf1 -u myuserid -p secret
where tcf1 is the name of the connection factory that matches the node property that you set.
To secure JNDI bindings lookups:
Specify the Initial Context Factory property on the node. You must set this property for every node using JMS transport.
Use the mqsisetdbparms command to authorize the user ID and password for the specified context factory. For example:
mqsisetdbparms MyBroker1 -n jndi::com.sun.jndi.fscontext.RefFSContextFactory
-u myuserid -p secret
where com.sun.jndi.fscontext.RefFSContextFactory is the name of the initial context factory that you set. |
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| agulowaty |
| Posted: Wed Aug 21, 2013 6:24 am Post subject: |
|
|
Newbie
Joined: 21 Aug 2013
Posts: 8
|
Thank you for reply, but this question roughly concernes security.
Maybe I was a little bit unclear - I need to configure JMSNode to use two different context factories - one to lookup Destination, second one to lookup Connection Factory for session object. While it can be easily accomplished from standalone app (using JMS API), i cannot find any solution to get it work in WMB. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Aug 21, 2013 6:26 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| agulowaty wrote: |
Thank you for reply, but this question roughly concernes security.
Maybe I was a little bit unclear - I need to configure JMSNode to use two different context factories - one to lookup Destination, second one to lookup Connection Factory for session object. While it can be easily accomplished from standalone app (using JMS API), i cannot find any solution to get it work in WMB. |
TWO CONFIGURATION OPTIONS ARE SUPPORTED.
You can secure one, both, or neither of these options, depending on the level of security and access that you want to enforce.
You can follow either of these two options. No more, no less.
WMB is not a WAS server, or MDB application container. You need to think differently in order to be successful with WMB. If you want to write Message Driven Bean functions, deploy on WAS not WMB. WMB is a high-speed transformation engine. Its mainly used as an Enterprise Service Bus. It is not a silver bullet, one size fits all requirements type of infrastructure. You might consider the SecurityPEP node or other LDAP lookup capability from other nodes before you get to your JMSOutput node.
http://publib.boulder.ibm.com/infocenter/wmbhelp/v8r0m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fbp28160_.htm
| Quote: |
The following steps explain the sequence of events that occur when a message arrives at an input node that is not security enabled (or that has no associated security profile).
...
When the message reaches an output node, a security profile associated with the node can indicate whether an identity is to be taken from the Properties folder and propagated when the message is sent. Only specific transport nodes can propagate tokens that are the default for the transport; any other token type must be handled by a compute node, as described above. |
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Last edited by lancelotlinc on Wed Aug 21, 2013 7:10 am; edited 1 time in total |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 21, 2013 7:09 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I'm confused.
Aren't you just asking if you can set different values for the InitalContextFactory and the ConnectionFactory?
That really sounds like what you're asking.
There's no reason you should be having any trouble at all if that is what you are asking.
There are two separate properties, one for the InitialContextFactory and one for the ConnectionFactory. Why would that not allow you to set them to different values?
If you are asking something else, then I don't understand at all what you are asking.
Can you please be more clear?
Particularly, you say "it can be easily accomplished from standalone app"... so show the code that would accomplish this in a standalone app.
And please use [ c o d e ] tags. |
|
| Back to top |
|
|
| agulowaty |
| Posted: Wed Aug 21, 2013 10:51 pm Post subject: |
|
|
Newbie
Joined: 21 Aug 2013
Posts: 8
|
Yes, here is the code:
First I'm searching for connection factory in LDAP:
| Code: |
hashTable.put(PROVIDER_URL, "ldap://xxx");
hashTable.put(INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
hashTable.put(SECURITY_AUTHENTICATION, "none");
ic = new InitialContext(hashTable);
connectionFactory = (ConnectionFactory) ic.lookup("cn=xxx");
|
Then I need to setup Destination using different context factory:
| Code: |
Hashtable jndiContext = new Hashtable();
jndiContext.put(INITIAL_CONTEXT_FACTORY, "com.sun.jndi.fscontext.RefFSContextFactory");
jndiContext.put(PROVIDER_URL, "file:///home/xxxx");
try {
ctx = new InitialContext(jndiContext);
destination = (Destination) ctx.lookup("jndi name");
|
and use it like this:
| Code: |
MessageProducer producer = session.createProducer(destination);
|
where session comes from connectionFactory.
I know it might be unusual approach, but I'm tied with external requirements. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Aug 22, 2013 6:36 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Ok. I understand it now.
You have an LDAP admin who doesn't want to dirty the namespace with those contact admin queue definitions, and you have an MQAdmin that doesn't want to learn anything about that horrible LDAP.
So the LDAP admin is clutching the qmgr connection information in the namespace, and the MQ admin is clutching the queue destinations in the file system context.
In theory, you could work around this by writing your own proprietary API handler and telling the JMS nodes to use a configurable service that pointed to that proprietary API handler (in the same way that the JMS nodes talk to WebLogic).
Except for that funny little word "proprietary". I doubt that the spec for the api handler is published or available so you could implement something that matched the interface.
So I think you're out of luck and have to use plain JavaCompute nodes to do JMS instead of using the JMSNodes.
If you need input from JMS, you can use a TimeoutNotification node to start the flow. |
|
| Back to top |
|
|
| agulowaty |
| Posted: Thu Aug 22, 2013 9:39 pm Post subject: |
|
|
Newbie
Joined: 21 Aug 2013
Posts: 8
|
Thank you for help Jeff ! I'll do more research on your proposals.
Best regards |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
