Sun Java System Message Queue 4.3 Administration Guide

Security Properties

Table 16–7 lists broker properties related to security services: authentication, authorization, and encryption. Table 16–8 lists broker properties related specifically to LDAP-based authentication, and Table 16–9 lists broker properties related specifically to JAAS-based authentication.

Table 16–7 Broker Security Properties

Property 

Type 

Default Value 

Description 

imq.authentication.basic.user_repository

String 

file

Type of user authentication:  

    file: File-based


    ldap: Lightweight Directory Access Protocol


    jaas: Java Authentication and Authorization Service


imq.authentication.type

String 

digest

Password encoding method:

    digest: MD5 (for file-based authentication)


    basic: Base-64 (for LDAP or JAAS authentication)


imq.serviceName.authentication.type

String 

None 

Password encoding method for connection service serviceName:

    digest: MD5 (for file-based authentication)


    basic: Base-64 (for LDAP or JAAS authentication)


If specified, overrides imq.authentication.type for the designated connection service.

imq.authentication.client.response.timeout

Integer 

180

Interval, in seconds, to wait for client response to authentication requests 

imq.accesscontrol.enabled

Boolean 

true

Use access control?

If true, the system will check the access control file to verify that an authenticated user is authorized to use a connection service or to perform specific operations with respect to specific destinations.

imq.accesscontrol.type

String 

file

Specifies the access control type 

imq.serviceName.accesscontrol.enabled

Boolean 

None 

Use access control for connection service?  

If specified, overrides imq.accesscontrol.enabled for the designated connection service.

If true, the system will check the access control file to verify that an authenticated user is authorized to use the designated connection service or to perform specific operations with respect to specific destinations.

imq.accesscontrol.file.filename

String 

accesscontrol.properties

Name of access control file 

The file name specifies a path relative to the access control directory (see Appendix A, Platform-Specific Locations of Message Queue Data).

imq.serviceName.accesscontrol.file.filename

String 

None 

Name of access control file for connection service 

If specified, overrides imq.accesscontrol.file.filename for the designated connection service.

The file name specifies a path relative to the access control directory (see Appendix A, Platform-Specific Locations of Message Queue Data).

imq.accesscontrol.file.url

String 

Not set 

The location, as a URL, of the access control file. 

imq.serviceName.accesscontrol.file.url

String 

None 

The location, as a URL, of the access control file for connection service 

If specified, overrides imq.accesscontrol.file.url for the designated connection service.

imq.keystore.file.dirpath

String 

See Appendix A, Platform-Specific Locations of Message Queue Data

Path to directory containing key store file 

imq.keystore.file.name

String 

keystore

Name of key store file 

imq.keystore.password [To be used only in password files]

String 

None 

Password for key store file 

imq.passfile.enabled

Boolean 

false

Obtain passwords from password file?  

imq.passfile.dirpath

String 

See Appendix A, Platform-Specific Locations of Message Queue Data

Path to directory containing password file 

imq.passfile.name

String 

passfile

Name of password file

imq.imqcmd.password

String 

None 

Password for administrative user 

The Command utility (imqcmd) uses this password to authenticate the user before executing a command.

Table 16–8 lists broker properties related to LDAP-based user authentication.

Table 16–8 Broker Security Properties for LDAP Authentication

Property 

Type 

Default Value 

Description 

imq.user_repository.ldap.server

String 

None 

Host name and port number for LDAP server

The value is of the form  

    hostName:port


where hostName is the fully qualified DNS name of the host running the LDAP server and port is the port number used by the server.

     

To specify a list of failover servers, use the following syntax:  

    host1:port1


    ldap://host2: port2


    ldap://host3 :port3



     

Entries in the list are separated by spaces. Note that each failover server address is prefixed with ldap://. Use this format even if you use SSL and have set the property imq.user_repository.ldap.ssl.enabled to true. You need not specify ldaps in the address.

imq.user_repository.ldap.principal

String 

None 

Distinguished name for binding to LDAP user repository

Not needed if the LDAP server allows anonymous searches.

imq.user_repository.ldap.password [Should be used only in password files]

String 

None 

Password for binding to LDAP user repository

Not needed if the LDAP server allows anonymous searches.

imq.user_repository.ldap.propertyName

 

 

 

imq.user_repository.ldap.base

String 

None 

Directory base for LDAP user entries

imq.user_repository.ldap.uidattr

String 

None 

Provider-specific attribute identifier for LDAP user name

imq.user_repository.ldap.usrformat

String 

None 

When set to a value of dn, specifies that DN username format is used for authentication (for example: uid=mquser,ou=People,dc=red,dc=sun,dc=com).

Also, the broker extracts the value of the imq.user.repository.lpdap.uidatr attribute from the DN username, and uses this value as the user name in access control operations.

If not set, then normal username format is used. 

imq.user_repository.ldap.usrfilter [Optional]

String 

None 

JNDI filter for LDAP user searches

imq.user_repository.ldap.grpsearch

Boolean 

false

Enable LDAP group searches?


Note –

Message Queue does not support nested groups.


imq.user_repository.ldap.grpbase

String 

None 

Directory base for LDAP group entries

imq.user_repository.ldap.gidattr

String 

None 

Provider-specific attribute identifier for LDAP group name

imq.user_repository.ldap.memattr

String 

None 

Provider-specific attribute identifier for user names in LDAP group

imq.user_repository.ldap.grpfilter

String 

None 

JNDI filter for LDAP group searches

imq.user_repository.ldap.timeout

Integer 

280

Time limit for LDAP searches, in seconds

imq.user_repository.ldap.ssl.enabled

Boolean 

false

Use SSL when communicating with LDAP server?

Table 16–9 lists broker properties related to JAAS-based user authentication.

Table 16–9 Broker Security Properties for JAAS Authentication

Property 

Type 

Default Value 

Description 

imq.user_repository.jaas.name

String 

None 

Set to the name of the desired entry (in the JAAS configuration file) that references the login modules you want to use as the authentication service. This is the name you noted in Step 3.

imq.user_repository.jaas.userPrincipalClass

String 

None 

This property, used by Message Queue access control, specifies the java.security.Principal implementation class in the login module(s) that the broker uses to extract the Principal name to represent the user entity in the Message Queue access control file. If, it is not specified, the user name passed from the Message Queue client when a connection was requested is used instead.

imq.user_repository.jaas.groupPrincipalClass

String 

None 

This property, used by Message Queue access control, specifies the java.security.Principal implementation class in the login module(s) that the broker uses to extract the Principal name to represent the group entity in the Message Queue access control file. If, it is not specified, the user name passed from the Message Queue client when a connection was requested is used instead.