This chapter describes security considerations for the JMS RA.
This chapter includes the following sections:
The JMS RA is fully compliant with the JCA security contract as described in Java™ EE Connector Architecture Specification, version 1.7 at https://download.oracle.com/otndocs/jcp/connector_architecture-1_7-mrel-spec/
.
For outbound communication, in the ra.xml
file you can specify authentication-mechanism-type, credential-interface, and reauthentication-support. For example:
. . . <outbound-resourceadapter> . . . <authentication-mechanism> <authentication-mechanism-type> BasicPassword </authentication-mechanism-type> <credential-interface>javax.resource.spi.security.PasswordCredential</credential-interface> </authentication-mechanism> <reauthentication-support>false</reauthentication-support> . . . </outbound-resourceadapter> . . .
The following sections provide information on WebLogic JMS security:
WebLogic JMS uses a thread-based security model. The subject of the thread is established in the JNDI look up as the JNDI username and credential. WebLogic JMS assumes all related operations are done within the same thread under the same subject that is used for later authorizations at the server. The username and password used to create JMS connections are ignored in the authorization phase.
You can secure JMS resources that are deployed either as a service or an application. To secure JMS destinations, you create security policies and security roles for all destinations (JMS queues and JMS topics) as a group, or an individual destination (JMS queue or JMS topic) on a JMS server. See "Java Messaging Service (JMS) Resources" in Securing Resources Using Roles and Policies for Oracle WebLogic Server.
There are four methods for specifying Username and Password:
Specifying a Username/Password for In-bound Connections using the JCA Container
Specifying a Username/Password for In-bound Connections using JNDI
Specifying a Username/Password for In-bound Connections using a Connection Factory
When possible, Oracle recommends using the host application server's JCA container. Most vendors provide JCA containers that provide methods to dynamically set credentials using secure methods. Other methods typically store credentials in clear text. If you chose a method that does not encrypt credentials, use Oracle Wallet to secure them. See Securing Credentials with Oracle Wallet..
Your application can provide the username/password in the activation-spec
of an inbound resource adapter. The activation spec
is then passed into the JMS RA by the foreign application server's JCA container.
For detailed information on how to specify a username/password using the JCA container of your foreign application server, see Administering the JMS RA on Oracle GlassFish Server.
You can configure the jndiEnv
property in the resourceProviderDefinitions
to include the usename/password as shown below:
<config-property-name>resourceProviderDefinitions</config-property-name> <config-property-type>java.lang.String</config-property-type> <config-property-value> (weblogicAdmin: jndiEnv=(java.naming.factory.initial=weblogic.jms.WrappedInitialContextFactory, java.naming.provider.url='t3://host:port', java.naming.security.principal=xxxx, java.naming.security.credentials=yyyy)) </config-property-value> </config-property>
The JMS RA simplifies security interoperability with foreign application servers by providing connection based security model using a new JNDI initial context factory: weblogic.jms.WrappedInitialContextFactory
. The resulting subject is determined using the following rules:
A subject is associated with each connection created using the connection username/password.
If the connection is created without username password, then the JNDI username/password is used.
All subsequent JMS operations will use the resultant subject from the connection creation call regardless what is on the thread.
For outbound connections, you can use createConnection(java.lang.String, java.lang.String)
.
The JMS RA does not provide configuration attributes to implement the username/password for outbound connections. See Secure Wire Communication for information on securing out-bound communication.
Some foreign application servers may provide secure credentials between domains. If so, consult the your vendor documentation for more information.
Oracle Wallet provides an simple and easy method to secure credentials between multiple domains. It allows you to update credentials by updating the Wallet instead of having to change individual credentials.
To secure your credentials, you must:
Create a wallet file and add the necessary credentials using the JMS RA encryption utility. This step creates a cwallet.sso
file at the specified location which maps an alias to the secured credentials. See Using the wljmsra Encryption utility.
Provide the alias in the JMS RA deployment descriptor or connection pool configuration.
Provide the location of the cwallet.sso
file in the JMS RA deployment descriptor or connection pool configuration.
The following table provide examples of how you can set JMS RA JNDI environment properties.
Table 11-1 JNDI Properties for Setting Credentials
JNDI Settings | Behavior |
---|---|
java.naming.security.principal=principal java.naming.security.credentials=credentials |
The JMS RA run time uses the values of principal and credentials to access WebLogic Server destinations. |
java.naming.security.principal=principal java.naming.security.credentials=- weblogic.jms.walletDir=dirctory |
The JMS RA run time uses the value of principal as the username and the value of alias to retrieve and use the password stored in the |
java.naming.security.principal=- java.naming.security.credentials=- weblogic.jms.walletDir=dirctory |
The JMS RA run time uses the value of alias1 to retrieve and use the username and alias2 to retrieve and use the password stored in the |
java.naming.security.principal=- java.naming.security.credentials=- weblogic.jms.walletDir=dirctory |
The JMS RA run time uses the value of alias to retrieve and use the username and password stored in the |
java.naming.security.principal=principal java.naming.security.credentials=-> weblogic.jms.walletDir=dirctory |
The JMS RA run time uses the value of principal as the username and the value of principal to retrieve and use the password stored in the |
The JMS RA provides a command-line utility to add application credentials into a an Oracle Wallet file. To run the utility, change directories to the wlserver/server/lib
directory of your installation and enter the following command to display the valid commands:
java -jar wljmsra.rar help Usage: create <dir>: Create wallet under given directory. add <alias> <value> [dir]: Add value using the alias. replace <alias> <value> [dir]: Replace value of the alias. remove <alias> [dir]: Remove an alias. dump [dir]: List all aliases in the wallet. help: This help.
The following example uses the encryption utility to create a wallet file in the directory mywallet
:
java -jar wljmsra.rar create mywallet Info: Created wallet under directory 'mywallet'.
The following example uses the encryption utility to create an alias:
java -jar wljmsra.rar add user6 pwd6 Info: Added alias 'user6'.
The following example uses the encryption utility to replace an alias:
java -jar wljmsra.rar replace user6 newpwd6 Info: Replaced alias 'user6'.
Oracle recommends using SSL/t3s to secure information sent over the wire. See "Configuring SSL" in Administering Security for Oracle WebLogic Server 12c (12.2.1).