How to secure WebLogic JMS Resources?

| April 15, 2014 | 0 Comments

When you create a JMS Resource on WebLogic, it is not secure by default. If anyone knows your jms url, he or she can delete all your messages. You can say, we have firewall in front of it, but you should even secure your assets internally in your organization.

1. Define a JMS server

2. Create JMS module

3. Create Connection Factory then target it to the cluster

4. Create Distributed Queues then target it to the Subdeployment.

I have created “DistributedQueue-01″ on my local WebLogic domain. Then connected to my JMS-Resources by using HermesJMS tool.

Here is my connection details:

JMS URL:

JMS Connection Details Without Security Policy<

JMS Connection Details Without Security Policy

 

 

 

 

 

 

 

I have created an Hermes JMS session with above settings. When you finished session creation on Hermes, right click on you session, then select “Discover” option on dropdown menu. After that, Hermes will connect to your JMS Resource successfully, then would list its queues and topics. See the below screen capture.

Without security credentials, you can connect and list every JMS resources.

Without security credentials, you can connect and list every JMS resources.

 

 

 

 

 

 

 

 Secure your JMS Module

The best practice and operational excellence model is, secure your JMS Resource by defining a WebLogic group. Because, when another system wants to integrate its system, just create another user for the new system and assign it to JMS group. Then, automatically the new system must connect with security credentials.

1. Create a new WebLogic group and name it “JMS_Subscribers”

2. Create a new user for your backend system. I’ve named “jms_test_user”

3. Assign “jms_test_user” to “JMS_Subscribers” group

These three steps are basic administration issues, now I’ll give details for JMS Module.

4. Click on “Services > Messagging > JMS Modules > $YourJMSModule (on list) > Security (tab) > Policies (alt tab) > Add Conditions (button)  ”

Then choose “Group” predicate, from predicate list combo box. Click on “Next”. On “Group Argument Name” type your WebLogic group name, which is “JMS_Subscriber”, click on “Add” button. Now, you should see your “JMS_Subscriber” group condition on the list. See screen capture below.

Add Policy Condition for your JMS Modules

Add Policy Condition for your JMS Modules

 

 

 

 

 

 

 

Finally, click on “SAVE” button. Without save click, it will not be activated.

That’s it, anymore your JMS-Module is secure. No one, can list your JMS resources without authentication.

When I rediscover my JMS connection on Hermes, it gave error. Because, I haven’t provide security credentials. Here is, the full error log.

 

Add Security Credentials For JMS Connectivity

Anymore, we should add below properties for our JMS connections with proper user information.

securityPrincipal=jms_test_user
securityCredentials=welcome1

New connection settings:

JMS Connection With Credentials

JMS Connection With Credentials

 

 

 

 

 

After that, I have successfully listed my queue destinations.

Successfully connected and discovered my JMS queues.

Successfully connected and discovered my JMS queues.

 

 

 

 

 

 

 

 If you have any questions about your JMS problems, drop me an email.

LinkedInTwitterGoogle+FacebooktumblrEmail
    Share admineer resources...

Tags:

Category: JMS, Middleware, WebLogic

M.Fevzi Korkutata

About the Author ()

M.Fevzi Korkutata: Deep level technical consultant... Oracle ACE Associate in Middleware & SOA expertise. His specialty is large scale and mission critical live production systems and like to work as DevOps. He knows all kind of application servers and its environments. Software product development, operation management, design, implementation, integration... etc. Korkutata working as "Application and Infrastructure Architect"... Likes to work and communicate internationally, stay connected :)

Leave a Reply

Your email address will not be published. Required fields are marked *