Sunday, May 12, 2013

WebLogic: protect and secure JMS queues

my first experiment is protecting the individual queue with a Security Policy "user= weblogic"

If I go to the monitoring tab and do "show messages"; I get this error:

Access denied to resource: type=, application=ACMEJMSModule, destinationType=queue, resource=ACMEQ, action=browse
Message icon - Error weblogic.management.ManagementException: Authorization failure.

The same happens if instead of protecting the individual queue, I protect the JMSModule.

CAVEAT: when you ADD the policy, the effect is immediate. When you REMOVE it, the restriction stays cached, and only a restart sets the resource free again.

Now you must enable a Business Service to WRITE to the JMS queue:

http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/transport_level.htm#i1078093

a) create a service account, static, with the same username/password used to protect the JMS queue

b) in the Business Service producing JMS messages, assign as "JMS Service Account" the above service account

c) in the Proxy Service consuming JMS messages,

assign as "JMS Service Account" the above service account

It can't be simpler than this.

If I connect to Domain B to Domain A JMS queue (protected), I get an error:

The Message-Driven EJB: RequestEJB-4191753809964957369-ea7ff4.13e88fddc7c.-7ef2 is unable to connect to the JMS destination: jms.jndi.dq.BLA.BLAQ. The Error was: weblogic.jms.common.JMSSecurityException: Access denied to resource: type=, application=BLAJMSModule, destinationType=queue, resource=BLAQ, action=receive Nested exception: weblogic.jms.common.JMSSecurityException: Access denied to resource: type=, application=BLAJMSModule, destinationType=queue, resource=BLAQ, action=receive

after creation of service account (static, username and password), the JMS Proxy Service on B connects fine on A:

The Message-Driven EJB: RequestEJB-4191753809964957369-ea7ff4.13e88fddc7c.-7ef0 has connected/reconnected to the JMS destination: jms.jndi.dq.BLA.BLAQ

strange, because here it says:

http://docs.oracle.com/cd/E17904_01/doc.1111/e15867/service_accounts.htm

It cannot be used in outbound requests that authenticate Oracle Service Bus to a local or remote server or system resource, such as an FTP server or a JMS server.

Posted by vernetto at 8:16 PM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)