The JMS resource adapter is fully compliant with the Java Connector Architecture security contract, as described in Java™ EE Connector Architecture Specification, version 1.7.
For outbound communication, you can specify the authentication-mechanism-type, credential-interface, and reauthentication-support elements in the ra.xml file.
For example:
. . .
<outbound-resourceadapter>
. . .
<authentication-mechanism>
<authentication-mechanism-type>
BasicPassword
</authentication-mechanism-type>
<credential-interface>javax.resource.spi.security.PasswordCredential</credential-interface>
</authentication-mechanism>
<reauthentication-support>false</reauthentication-support>
. . .
</outbound-resourceadapter>
. . .
The following topics provide information about WebLogic JMS security:
WebLogic JMS uses a thread-based security model. The subject of the thread is established in the JNDI lookup as the JNDI user name and password credentials. WebLogic JMS assumes all related operations are done within the same thread under the same subject that is used for later authorizations in the server. The user name and password used to create JMS connections are ignored in the authorization phase.
You can secure JMS resources that are deployed either as a service or an application. To secure JMS destinations, you create security policies and security roles for all destinations (JMS queues and JMS topics) as a group, or an individual destination (JMS queue or JMS topic) on a JMS server.
See Java Messaging Service (JMS) Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server for more information.
You can apply any of the following methods to specify the user name and password credentials:
Specifying a User Name and Password for Inbound Connections Using JNDI
Specifying a User Name and Password for Inbound Connections Using a Connection Factory
Specifying a User Name and Password for Outbound Connections
Oracle recommends using the host application server's Java Connector Architecture container. Most vendors provide Java Connector Architecture containers that provide methods to dynamically set credentials using secure methods. Other methods typically store credentials in clear text. If you chose a method that does not encrypt credentials, use Oracle Wallet to secure them.
See Securing Credentials with Oracle Wallet for more information.
Your application can provide the user name and password credentials in the activation-spec of an inbound resource adapter. The activation spec is then passed into the JMS resource adapter by the foreign application server's Java Connector Architecture container.
See Administering the JMS Resource Adapter on Oracle GlassFish Server for detailed information about how to specify a user name and password using the Java Connector Architecture container of your foreign application server.
You can configure the jndiEnv property in the resourceProviderDefinitions to include the user name and password credentials as follows:
<config-property-name>resourceProviderDefinitions</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value>
(weblogicAdmin: jndiEnv=(java.naming.factory.initial=weblogic.jms.WrappedInitialContextFactory,
java.naming.provider.url='t3://host:port',
java.naming.security.principal=xxxx,
java.naming.security.credentials=yyyy))
</config-property-value>
</config-property>
See Example JNDI Configurations for Setting Credentials for more information.
The JMS resource adapter simplifies security interoperability with foreign application servers by providing connection based security model using a new JNDI initial context factory, weblogic.jms.WrappedInitialContextFactory. The resulting subject is determined using the following rules:
A subject is associated with each connection created using the connection user name and password.
If the connection is created without user name and password, then the JNDI user name and password are used.
All subsequent JMS operations use the resultant subject from the connection creation call regardless of what is on the thread.
For outbound connections, you can use createConnection(java.lang.String, java.lang.String) API.
The JMS resource adapter does not provide configuration attributes to implement the user name and password for outbound connections.
See Secure Communication for information about securing outbound communication.
Some foreign application servers may provide secure credentials between domains. If so, consult your vendor documentation for more information.
Oracle Wallet provides an simple and easy method to secure credentials between multiple domains. It allows you to update credentials by updating the wallet instead of having to change individual credentials.
To secure your credentials, you must:
Create a wallet file and add the necessary credentials using the JMS resource adapter encryption utility. This step creates a cwallet.sso file at the specified location that maps an alias to the secured credentials.
See Using the wljmsra Encryption Utility for more information.
Provide the alias in the JMS resource adapter deployment descriptor or connection pool configuration.
Provide the location of the cwallet.sso file in the JMS resource adapter deployment descriptor or connection pool configuration.
The following table provide examples showing how you can set JMS resource adapter JNDI environment properties.
| JNDI Settings | Behavior |
|---|---|
java.naming.security.principal=principal
java.naming.security.principal=principal
java.naming.security.credentials=credentials
|
The JMS resource adapter runtime uses the values of |
java.naming.security.principal=principal
java.naming.security.credentials=->alias
weblogic.jms.walletDir=dirctory
|
The JMS resource adapter runtime uses the value of |
java.naming.security.principal=->alias1
java.naming.security.credentials=->alias2
weblogic.jms.walletDir=dirctory
|
The JMS resource adapter runtime uses the value of |
java.naming.security.principal=->alias
java.naming.security.credentials=->
weblogic.jms.walletDir=dirctory
|
The JMS resource adapter runtime uses the value of |
java.naming.security.principal=principal
java.naming.security.credentials=->
weblogic.jms.walletDir=dirctory
|
The JMS resource adapter runtime uses the value of |
The JMS resource adapter provides a command-line utility to add application credentials into an Oracle Wallet file. To run the utility, change to the WL_HOMEserver/lib directory and enter the following command to display the valid commands:
java -jar wljmsra.rar help Usage: create <dir>: Create wallet under given directory. add <alias> <value> [dir]: Add value using the alias. replace <alias> <value> [dir]: Replace value of the alias. remove <alias> [dir]: Remove an alias. dump [dir]: List all aliases in the wallet. help: This help.
The following example uses the encryption utility to create a wallet file in the directory mywallet:
java -jar wljmsra.rar create mywallet Info: Created wallet under directory 'mywallet'.
The following example uses the encryption utility to create an alias:
java -jar wljmsra.rar add user6 pwd6 Info: Added alias 'user6'.
The following example uses the encryption utility to replace an alias:
java -jar wljmsra.rar replace user6 newpwd6 Info: Replaced alias 'user6'.
The following example uses the encryption utility to remove an alias:
java -jar wljmsra.rar remove user6 Info: Removed alias 'user6'.
The following example uses the encryption utility to list the aliases in a wallet:
java -jar wljmsra.rar dump mywallet Info: Aliases found in wallet under 'mywallet'. user4 Info: 1 aliases found.
Oracle recommends using SSL or t3s to secure information being sent.
See Configuring SSL in Administering Security for Oracle WebLogic Server for more information.