11 Securing JMS Resource Adapter Connections

The following topics describe security considerations for the JMS resource adapter:

Java Connector Architecture Security

The JMS resource adapter is fully compliant with the Java Connector Architecture security contract, as described in Java™ EE Connector Architecture Specification, version 1.7.

For outbound communication, you can specify the authentication-mechanism-type, credential-interface, and reauthentication-support elements in the ra.xml file.

For example:

. . .
<outbound-resourceadapter>
. . .
    <authentication-mechanism>
            <authentication-mechanism-type>
               BasicPassword
            </authentication-mechanism-type>
            <credential-interface>javax.resource.spi.security.PasswordCredential</credential-interface>
        </authentication-mechanism>
        <reauthentication-support>false</reauthentication-support>
. . .
</outbound-resourceadapter>
. . .
  

WebLogic JMS Security

The following topics provide information about WebLogic JMS security:

Overview of JMS Security Models

WebLogic JMS uses a thread-based security model. The subject of the thread is established in the JNDI lookup as the JNDI user name and password credentials. WebLogic JMS assumes all related operations are done within the same thread under the same subject that is used for later authorizations in the server. The user name and password used to create JMS connections are ignored in the authorization phase.

Protecting JMS Resources

You can secure JMS resources that are deployed either as a service or an application. To secure JMS destinations, you create security policies and security roles for all destinations (JMS queues and JMS topics) as a group, or an individual destination (JMS queue or JMS topic) on a JMS server.

See Java Messaging Service (JMS) Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server for more information.

Specifying User Name and Password Credentials

You can apply any of the following methods to specify the user name and password credentials:

Oracle recommends using the host application server's Java Connector Architecture container. Most vendors provide Java Connector Architecture containers that provide methods to dynamically set credentials using secure methods. Other methods typically store credentials in clear text. If you chose a method that does not encrypt credentials, use Oracle Wallet to secure them.

See Securing Credentials with Oracle Wallet for more information.

Specifying a User Name and Password for Inbound Connections Using the Java Connector Architecture Container

Your application can provide the user name and password credentials in the activation-spec of an inbound resource adapter. The activation spec is then passed into the JMS resource adapter by the foreign application server's Java Connector Architecture container.

See Administering the JMS Resource Adapter on Oracle GlassFish Server for detailed information about how to specify a user name and password using the Java Connector Architecture container of your foreign application server.

Specifying a User Name and Password for Inbound Connections Using JNDI

You can configure the jndiEnv property in the resourceProviderDefinitions to include the user name and password credentials as follows:

<config-property-name>resourceProviderDefinitions</config-property-name>
      <config-property-type>java.lang.String</config-property-type>
      <config-property-value>
        (weblogicAdmin: jndiEnv=(java.naming.factory.initial=weblogic.jms.WrappedInitialContextFactory,
                                 java.naming.provider.url='t3://host:port',
                                 java.naming.security.principal=xxxx,
                                 java.naming.security.credentials=yyyy))
     </config-property-value>
     </config-property>

See Example JNDI Configurations for Setting Credentials for more information.

Specifying a User Name and Password for Inbound Connections Using a Connection Factory

The JMS resource adapter simplifies security interoperability with foreign application servers by providing connection based security model using a new JNDI initial context factory, weblogic.jms.WrappedInitialContextFactory. The resulting subject is determined using the following rules:

  • A subject is associated with each connection created using the connection user name and password.

  • If the connection is created without user name and password, then the JNDI user name and password are used.

  • All subsequent JMS operations use the resultant subject from the connection creation call regardless of what is on the thread.

Specifying a User Name and Password for Outbound Connections

For outbound connections, you can use createConnection(java.lang.String, java.lang.String) API.

The JMS resource adapter does not provide configuration attributes to implement the user name and password for outbound connections.

See Secure Communication for information about securing outbound communication.

Some foreign application servers may provide secure credentials between domains. If so, consult your vendor documentation for more information.

Securing Credentials with Oracle Wallet

Oracle Wallet provides an simple and easy method to secure credentials between multiple domains. It allows you to update credentials by updating the wallet instead of having to change individual credentials.

To secure your credentials, you must:

  • Create a wallet file and add the necessary credentials using the JMS resource adapter encryption utility. This step creates a cwallet.sso file at the specified location that maps an alias to the secured credentials.

    See Using the wljmsra Encryption Utility for more information.

  • Provide the alias in the JMS resource adapter deployment descriptor or connection pool configuration.

  • Provide the location of the cwallet.sso file in the JMS resource adapter deployment descriptor or connection pool configuration.

Example JNDI Configurations for Setting Credentials

The following table provide examples showing how you can set JMS resource adapter JNDI environment properties.


JNDI Settings Behavior
java.naming.security.principal=principal
java.naming.security.principal=principal
java.naming.security.credentials=credentials

The JMS resource adapter runtime uses the values of principal and credentials to access Oracle WebLogic Server destinations.

java.naming.security.principal=principal
java.naming.security.credentials=->alias
weblogic.jms.walletDir=dirctory

The JMS resource adapter runtime uses the value of principal as the user name and the value of alias to retrieve and use the password stored in the cwallet.sso file located in the directory specified by the value of directory.

java.naming.security.principal=->alias1
java.naming.security.credentials=->alias2
weblogic.jms.walletDir=dirctory

The JMS resource adapter runtime uses the value of alias1 to retrieve and use the user name and alias2 to retrieve and use the password stored in the cwallet.sso file located in the directory specified by the value of directory.

java.naming.security.principal=->alias
java.naming.security.credentials=->
weblogic.jms.walletDir=dirctory

The JMS resource adapter runtime uses the value of alias to retrieve and use the user name and password stored in the cwallet.sso file located in the directory specified by the value of directory.

java.naming.security.principal=principal
java.naming.security.credentials=->
weblogic.jms.walletDir=dirctory

The JMS resource adapter runtime uses the value of principal as the user name and the value of principal to retrieve and use the password stored in the cwallet.sso file located in the directory specified by the value of directory.


Using the wljmsra Encryption Utility

The JMS resource adapter provides a command-line utility to add application credentials into an Oracle Wallet file. To run the utility, change to the WL_HOMEserver/lib directory and enter the following command to display the valid commands:

java -jar wljmsra.rar help
Usage:
create <dir>: Create wallet under given directory.
add <alias> <value> [dir]: Add value using the alias.
replace <alias> <value> [dir]: Replace value of the alias.
remove <alias> [dir]: Remove an alias.
dump [dir]: List all aliases in the wallet.
help: This help.

The following example uses the encryption utility to create a wallet file in the directory mywallet:

java -jar wljmsra.rar create mywallet
Info: Created wallet under directory 'mywallet'.

The following example uses the encryption utility to create an alias:

java -jar wljmsra.rar add user6 pwd6
Info: Added alias 'user6'.

The following example uses the encryption utility to replace an alias:

java -jar wljmsra.rar replace user6 newpwd6
Info: Replaced alias 'user6'.

The following example uses the encryption utility to remove an alias:

java -jar wljmsra.rar remove user6
Info: Removed alias 'user6'.

The following example uses the encryption utility to list the aliases in a wallet:

java -jar wljmsra.rar dump mywallet
Info: Aliases found in wallet under 'mywallet'.
user4
Info: 1 aliases found.

Secure Communication

Oracle recommends using SSL or t3s to secure information being sent.

See Configuring SSL in Administering Security for Oracle WebLogic Server for more information.