Security Properties
Table 17-9 lists broker properties related to security services: authentication, authorization, and encryption. Table 17-10 lists broker
properties related specifically to file-based authentication, Table 17-11 lists broker properties related specifically to
LDAP-based authentication, and Table 17-12 lists broker properties related specifically to JAAS-based authentication.
Table 17-9 Broker Security Properties
|
|
|
|
imq.authentication.basic.user_repository |
String |
file |
Type of user authentication:
|
|
String |
digest |
Password encoding method:
|
imq.serviceName.authentication.type |
String |
None |
Password encoding method for connection
service serviceName:
If specified, overrides imq.authentication.type for the designated connection service. |
imq.authentication.client.response.timeout |
Integer |
180 |
Interval, in
seconds, to wait for client response to authentication requests |
imq.accesscontrol.enabled |
Boolean |
true |
Use access control? If true,
the system will check the access control file to verify that an authenticated
user is authorized to use a connection service or to perform specific operations
with respect to specific destinations. |
|
String |
file |
Specifies the access control type |
imq.serviceName.accesscontrol.enabled |
Boolean |
None |
Use access control
for connection service? If specified, overrides imq.accesscontrol.enabled for the designated connection service. If
true, the system will check the access control file to verify that an
authenticated user is authorized to use the designated connection service or to perform
specific operations with respect to specific destinations. |
imq.accesscontrol.file.dirpath |
String |
IMQ_VARHOME/instances/instanceName/etc |
Path to the access control directory |
imq.accesscontrol.file.filename |
String |
accesscontrol.properties |
Name
of access control file The file name specifies a path relative to imq.accesscontrol.file.dirpath.
|
imq.serviceName.accesscontrol.file.filename |
String |
None |
Name of access control file for connection service If specified, overrides imq.accesscontrol.file.filename for the
designated connection service. The file name specifies a path relative to imq.accesscontrol.file.dirpath.
|
imq.accesscontrol.file.url |
String |
Not set |
The location, as a URL, of the access control file. If the
URL uses LDAP protocol (ldap://), the access control file must be returned as
a single string that uses dollar sign ($) as the separator between
the lines of the access control file. |
imq.serviceName.accesscontrol.file.url |
String |
None |
The location, as a URL, of
the access control file for the connection service. If specified, overrides imq.accesscontrol.file.url for the designated
connection service. If the URL uses LDAP protocol (ldap://), the access control file
must be returned as a single string that uses dollar sign ($)
as the separator between the lines of the access control file. |
imq.keystore.file.dirpath |
String |
IMW_HOME/etc |
Path to
directory containing key store file |
|
String |
keystore |
Name of key store file |
|
String |
None |
Password for key store file |
|
Boolean |
false |
Obtain passwords from password file? |
|
String |
IMQ_HOME/etc |
Path
to directory containing password file |
|
String |
passfile |
|
|
String |
None |
Password for administrative user The Command
utility (imqcmd) uses this password to authenticate the user before executing a command.
|
|
Boolean |
false |
Is audit logging to broker log file enabled? |
|
Boolean |
true |
Is audit logging to the
Solaris BSM audit log disabled? |
|
1To be used only
in password files
Table 17-10 lists broker properties related to user authentication when using a flat-file user
repository.
Table 17-10 Broker Security Properties for Flat-File Authentication
|
|
|
|
imq.user_repository.file.dirpath |
String |
IMQ_VARHOME/instances/instanceName/etc/ |
Path to the directory containing the flat-file user repository |
imq.user_repository.file.filename |
String |
passwd |
Name of
the flat-file user repository file in the directory specified by imq.user_repository.file.dirpath |
|
Table 17-11 lists broker properties related to LDAP-based user authentication.
Table 17-11 Broker Security Properties for LDAP Authentication
|
|
|
|
imq.user_repository.ldap.server |
String |
None |
Host name and
port number for LDAP server The value is of the form
where hostName
is the fully qualified DNS name of the host running the LDAP
server and port is the port number used by the server. |
|
|
|
To
specify a list of failover servers, use the following syntax:
host1:port1
ldap://host2: port2
ldap://host3 :port3
…
|
|
|
|
Entries in
the list are separated by spaces. Note that each failover server address is
prefixed with ldap://. Use this format even if you use SSL and have
set the property imq.user_repository.ldap.ssl.enabled to true. You need not specify ldaps in the
address. |
imq.user_repository.ldap.principal |
String |
None |
Distinguished name for binding to LDAP user repository Not needed if the
LDAP server allows anonymous searches. |
imq.user_repository.ldap.password1 |
String |
None |
Password
for binding to LDAP user repository Not needed if the LDAP server allows
anonymous searches. |
imq.user_repository.ldap.propertyName |
|
|
|
imq.user_repository.ldap.base |
String |
None |
Directory base for LDAP user entries |
imq.user_repository.ldap.uidattr |
String |
None |
Provider-specific attribute identifier for LDAP
user name |
imq.user_repository.ldap.usrformat |
String |
None |
When set to a value of dn, specifies that DN username format is
used for authentication (for example: uid=mquser,ou=People,dc=red,dc=sun,dc=com). Also, the broker extracts the value of
the imq.user.repository.lpdap.uidatr attribute from the DN username, and uses this value as
the user name in access control operations. If not set, then normal username format
is used. |
imq.user_repository.ldap.usrfilter2 |
String |
None |
JNDI filter for LDAP user searches |
imq.user_repository.ldap.grpsearch |
Boolean |
false |
Enable LDAP group searches?
Note - Message Queue
does not support nested groups.
|
imq.user_repository.ldap.grpbase |
String |
None |
Directory base for LDAP group entries |
imq.user_repository.ldap.gidattr |
String |
None |
Provider-specific attribute identifier
for LDAP group name |
imq.user_repository.ldap.memattr |
String |
None |
Provider-specific attribute identifier for user names in LDAP group |
imq.user_repository.ldap.grpfilter2 |
String |
None |
JNDI filter
for LDAP group searches |
imq.user_repository.ldap.timeout |
Integer |
280 |
Time limit for LDAP searches, in seconds |
imq.user_repository.ldap.ssl.enabled |
Boolean |
false |
Use SSL when
communicating with LDAP server? |
imq.user_repository.ldap.ssl.socketfactory |
String |
com.sun.messaging.jmq.jmsserver.auth.ldap.TrustSSLSocketFactory |
The fully qualified class name of the socket
factory to use to make SSL connections to the LDAP server. When this property
is not set and imq.user_repository.ldap.ssl.enabled is set to true, the default socket
factory designated by the LDAP naming service is used. |
|
1Should be used only in password files
2Optional
Table 17-12 lists broker properties related to JAAS-based user authentication.
Table 17-12 Broker Security Properties for JAAS Authentication
|
|
|
|
imq.user_repository.jaas.name |
String |
None |
Set to the
name of the desired entry (in the JAAS configuration file) that references the
login modules you want to use as the authentication service. This is the
name you noted in Step 3. |
imq.user_repository.jaas.userPrincipalClass |
String |
None |
This property, used by Message Queue access
control, specifies the java.security.Principal implementation class in the login module(s) that the broker
uses to extract the Principal name to represent the user entity in the
Message Queue access control file. If, it is not specified, the user name
passed from the Message Queue client when a connection was requested is used
instead. |
imq.user_repository.jaas.groupPrincipalClass |
String |
None |
This property, used by Message Queue access control, specifies the java.security.Principal implementation
class in the login module(s) that the broker uses to extract the Principal
name to represent the group entity in the Message Queue access control file.
If, it is not specified, the user name passed from the Message Queue
client when a connection was requested is used instead. |
|