| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ User Authentication |
« View previous topic :: View next topic » |
| Author |
Message
|
| kpravin |
 Posted: Fri Jan 21, 2011 8:33 am Post subject: MQ User Authentication |
 |
|
Newbie
Joined: 21 Jan 2011
Posts: 3
|
MQ User Authentication
All,
I have created a MQ JMS bridge on weblogic server.
It is connecting perfectly and transferring messages from MQ queue to JMS queue on weblogic.
The user to login to weblogic domain is NOT added on MQ server under mqm group nor my windows userid.
Experts, can you please let me know if I missed anything here. How user identificaiton is done in case of Weblogic JMS Bridge.
I was expecting bridge to fail as it should NOT be able connect to queue manager.
I have mq client installed on my window machine.
When I try to connect to queue manager using amqsputc, it is failing mentioning security authentication.(MQRC_NOT_AUTHORIZED)
Setup:
MQ Client (7.0.1.3) installed on windows server.
WebLogic Server Version: 10.3.3.0 on windows.
MQ 7.0.1.3 on Solaris 9.
Regards,
Pravin |
|
| Back to top |
|
 |
| Vitor |
| Posted: Fri Jan 21, 2011 9:15 am Post subject: Re: MQ User Authentication |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| kpravin wrote: |
| Experts, can you please let me know if I missed anything here. How user identificaiton is done in case of Weblogic JMS Bridge. |
If you search through the forum you'll find a number of discussions surrounding this. Because amqsputc is written in C it doesn't use JMS but the native libs. This changes how users are identified. At it's simplest. amqsputc uses the id with which it was started but Java uses the id supplied by the application itself. If the Java app doesn't supply any id, WMQ supplies a default. Unless you've configured the connection to do otherwise (typically with MCAUser) it uses the id of the connection itself - mqm.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| kpravin |
| Posted: Mon Jan 24, 2011 7:19 am Post subject: |
|
|
Newbie
Joined: 21 Jan 2011
Posts: 3
|
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 24, 2011 7:23 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| kpravin wrote: |
| If possible, can you please provide me the link to IBM documentation for this. |
AFAIK it's not explicitly mentioned in the IBM docs as this behaviour is true of any Java / JMS application & isn't part of the IBM implementation.
Other more skilled Java people may know different and may be able to guide you.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Jan 24, 2011 7:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The heart of the issue is that Java is designed from the ground up to be "write once, run anywhere". This means that the native JVM does not provide any access to OS specific things, like security information.
In newer versions of MQ (at least v7, if not later FPs of v6), when establishing a *bindings* connection, which is already calling out to a shared library, the MQ java doe will also reach out and pull in the OS level userid.
But when making a client connection using MQ jar files, there's no mechanism for it to reach out to the OS, so it can't.
You should look at the JMS configuration. You should be able to provide a JAAS authentication alias that will then get mapped into MQ.
But you should fundamentally configure SSL and SSLPeer and MCAUSER on a specific SVRCONN for this bridge, to ensure that you are tightly controlling the security access that the bridge is granted. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 24, 2011 7:47 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| But you should fundamentally configure SSL and SSLPeer and MCAUSER on a specific SVRCONN for this bridge, to ensure that you are tightly controlling the security access that the bridge is granted. |
And should have additionally mentioned SSL when I discussed MCAuser above.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
