| Author |
Message
|
| mateo613 |
 Posted: Tue Oct 17, 2006 6:38 pm Post subject: MQ JMS comms with weblogic security question |
 |
|
Newbie
Joined: 17 Oct 2006
Posts: 9
|
Can someone please explain how security will work with my setup. I have a MQ Series 5.2 QM with CSD05 (yes I know we are planning the upgrade) that needs to communicate via MQ Series JMS Classes with a Weblogic 8.1 application server. The Queue Manager runs Solaris 8, and the Weblogic server is running solaris 10.0. The MQ server is running a Server Connection channel with 'mqm' in the mca user id.
Here is my question. How does the MCA security work when the weblogic server places JMS messages on the local queues. How does the MCA user id come into play? How is security passed through via JMS? Do I create a local unix account with mqm permissions that matches the account running on the weblogic server?
In the past I have always worked with the MQ client running on windows, not JMS.
Any help will be greatly appreciated.
Thanks, |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Oct 17, 2006 6:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If you really want to look into the J2EE aspect of resource security you need to read up on JAAS and container and bean managed aliases.
Anyways with mqm in the channel mcauser there is no security...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mateo613 |
| Posted: Tue Oct 17, 2006 6:45 pm Post subject: |
|
|
Newbie
Joined: 17 Oct 2006
Posts: 9
|
Are you suggesting that I leave the mca user id blank in this scenario? Also, how robust is JMS communications with MQ Series?
Thanks,
Matthew |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Oct 18, 2006 3:30 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
JMS communication using MQ v6 is probably the most robust JMS communication out there. There's a reason that MQ is the most widely implmented MOM product in the market place.
The MCA user id replaces all users that connect to that channel with the one specified. That means that anyone who can establish a tcp/ip connection to the channel will be authorized as the MCA user id.
You see why setting that to MQM is a bad idea?
You can configure your JMS QueueConnectionFactories to specify a connection user ID to use. This is done either in JNDI or in the code when you create the connection (one of the methods lets you supply a userid).
You should not use any version of MQ v5.2 from Java. If your WebLogic server is not running on the queue manager machine, then install either MQ v5.3 CSD 12 client or MQ v6 client, preferrably 6.0.2.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| mateo613 |
| Posted: Wed Oct 18, 2006 5:47 am Post subject: |
|
|
Newbie
Joined: 17 Oct 2006
Posts: 9
|
| jefflowrey wrote: |
You should not use any version of MQ v5.2 from Java. If your WebLogic server is not running on the queue manager machine, then install either MQ v5.3 CSD 12 client or MQ v6 client, preferrably 6.0.2. |
Let me ensure I understand what you are saying. My weblogic 8.1 is on a physically different machine than the MQ 5.2 server. Are you suggesting that instead of using the MQ 5.2 JMS classes (IBM-MA88), I should go ahead and use the 5.3 MQ JMS classes? I remember seeing an article that stated I MUST use 5.2 JMS classes provided by IBM to communicate via JMS with a 5.2 queue manager. I appreciate your help.
Thanks,
matthew |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Oct 18, 2006 6:03 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I'm not aware of any backward compatibility problems from the V5.3 JMS classes to v5.2. How old was the article you saw? Which article?
I *know* that MA88 was generally not as robust as what is included in the v5.3 distribution, and that regardless there are litereally hundreds of fixes between the last version of MA88 and what's included in v5.3 CSD12.
And I also know that it's very easy to test if you can establish a JMS connection to a 5.2 queue manager using the v5.3 client.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| mateo613 |
| Posted: Wed Oct 18, 2006 6:14 am Post subject: |
|
|
Newbie
Joined: 17 Oct 2006
Posts: 9
|
Is the 5.3 JMS classes available for download in a package similar to MA88? If not, what is the best way to extract these?
Thanks for your comments.
Matthew |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Oct 18, 2006 6:56 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
They come with the v5.3 client.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| mateo613 |
| Posted: Wed Oct 18, 2006 7:23 am Post subject: |
|
|
Newbie
Joined: 17 Oct 2006
Posts: 9
|
| Ok, not trying to be difficult. When searching for the 5.3 client for Solaris on IBM's website they only have the 6.x client. I have downloaded the 5.3 client with CSD12 for windows xp. I did find all of the files necessary files(*.jar) but certain files are batch files instead of shell scripts. Any ideas on how to download the 5.3 CSD12 solaris client? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Oct 18, 2006 8:07 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
|
| Back to top |
|
|
| mateo613 |
| Posted: Wed Oct 18, 2006 10:17 am Post subject: |
|
|
Newbie
Joined: 17 Oct 2006
Posts: 9
|
| Thanks! You have been very helpfull |
|
| Back to top |
|
|
| mateo613 |
| Posted: Wed Oct 18, 2006 10:23 am Post subject: |
|
|
Newbie
Joined: 17 Oct 2006
Posts: 9
|
| BTW, what does 'macy' mean? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Oct 18, 2006 10:28 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| mateo613 wrote: |
| BTW, what does 'macy' mean? |
???? 
OH.
That's MA - CY. It's the "number" of the Support Pack. Like MA-88, except its CY instead of 88.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
