Connecting to secured foreign JMS destinations from OSB / weblogic MDB

A secured foreign JMS destination is one in which an user credential is required to pass to carry out various operations (send, receive etc) on it. Weblogic JMS used the userid on the thread for this purpose while many other JMS providers including Websphere MQ and JBOSS JMS expects the user credentials to be passed on the ConnectionFactory.createConnection call to the provider.

Configuring OSB as below ensures that the user credentials is passed in the createConnection() call to the JMS provider.

Business Service [ To send message to the secured destination ]
1) configure a foreign JMS server that references the foreign vendor’s JNDI URL, JNDI classname, and, if needed, a JNDI user/pass
2) configure a foreign destination and foreign CF in the foreign JMS server
3) specify a user/pass as part of the foreign CF configuration in step 2

4) Configure the JMS URL as in the business service as :
jms://localWLSHost:port/ForeignLocalConnectionFactoryJNDI/ForeignQueueLocalJNDI

Proxy Service [ To receive message from the secured destination ]

Apply steps(1) to (3) in the Business Service section above

Step (4)

From OSB 10gR3

Do not specify hostname:port in URL,
Here is the format for JMS URI:
jms:///ForeignLocalConnectionFactoryJNDI/ForeignQueueLocalJNDI

For ALSB 2.6,2.6RP1 and ALSB 3.0

Contact customer support and request a patch for this bug <>. This patch is required for sbconsole to support JMS URI in following format
jms:///ForeignLocalConnectionFactoryJNDI/ForeignQueueLocalJNDI

Weblogic MDB

When configuring an Weblogic MDB to secured foreign JMS destination, we can configure the  username/password to be passed in the foreign connection factory configuration .

To make use of the userid details specified in the foreign JMS connection factory section, make sure that no provider URL is specified in the weblogic-ejb.xml deployment descriptor for the MDB. The wrapper code is bypassed if provider URL is specified.

From Oracle support:


Symptoms

When configuring MDBs to listen to a foreign service (that is, the remote service’s JNDI is mapped to the local Weblogic JNDI), if the url-provider is specified in &gt;the weblogic-ejb-jar.xml, then the behavior will likely not be as expected. The MDB will make a direct (remote) connection to the service.

In our example, the customer configured Tibco EMS as a foreign service, and the service is configured to authenticate credentials. The credentials are set in &gt;the configuration of the foreign service. The symptom of the issue was that the MDBs on Weblogic were not passing the credentials to Tibco.

ERROR

javax.naming.ServiceUnavailableException: Failed to query JNDI: Failed to connect to any server at: tcp://XXXXXXXXXXXXXXX:xxxx, tcp://XXXXXXXXXX:xxxx &gt;[Root exception is javax.jms.JMSException: Failed to connect to any server at: tcp://XXXXXXXX:xxxx, tcp://XXXXXXXXX:xxxx]
at com.tibco.tibjms.naming.TibjmsContext.lookup(TibjmsContext.java:676)
at com.tibco.tibjms.naming.TibjmsContext.lookup(TibjmsContext.java:500)
at javax.naming.InitialContext.lookup(InitialContext.java:351)

We could also see in the logs the following:

Cause

As mentioned, if one specifies the provider-url tag in the weblogic-ejb-jar.xml file, the MDBs to make a direct (remote) connection to foreign service instead of &gt;a local JNDI lookup.

So the credentials set in the foreign service configuration are not used. In fact, as documented in Bug 8048271 and Bug 8193565 only when provider-url is not &gt;specified do we lookup using the local JNDI. And if provider-url is specified, Weblogic looks for credentials from a credential mapper rather than the foreign &gt;service &gt;configuration.

Below are relevant sections for a MDB to connect to a secured JBoss JMS destination:

queue/A – JNDI name of a JMS destination in JBOSS JMS
ConnectionFactory – JNDI name of a connection Factory in JBOSS JMS
esbuser : An user in JBOSS who has read access to the JMS queue queue/A
{3DES}90sIZwo6Llr9r73p+VXkvQ== : Password for esbuser in encrypted form. Actual password esbpassword.

Foreign JMS

<foreign-server name=”ForeignServer”>
<default-targeting-enabled>true</default-targeting-enabled>
<foreign-destination name=”A”>
<local-jndi-name>A</local-jndi-name>
<remote-jndi-name>queue/A</remote-jndi-name>
</foreign-destination>
<foreign-connection-factory name=”FConf”>
<local-jndi-name>FConf</local-jndi-name>
<remote-jndi-name>ConnectionFactory</remote-jndi-name>
<username>esbuser</username>
<password-encrypted>{3DES}90sIZwo6Llr9r73p+VXkvQ==</password-encrypted>
</foreign-connection-factory>
<initial-context-factory>org.jnp.interfaces.NamingContextFactory</initial-context-factory>
<connection-url>jnp://localhost:1099</connection-url>
</foreign-server>

weblogic-ejb-jar.xml

<?xml version=’1.0′ encoding=’UTF-8′?>
<web:weblogic-ejb-jar xmlns:web=”http://www.bea.com/ns/weblogic/weblogic-ejb-jar”>
<web:weblogic-enterprise-bean>
<web:ejb-name>RequestEJB-2518965873970113789–2352f820.127bd3f293c.-7fdb</web:ejb-name>
<web:message-driven-descriptor>
<web:pool>
<web:max-beans-in-free-pool>1000</web:max-beans-in-free-pool>
<web:initial-beans-in-free-pool>1</web:initial-beans-in-free-pool>
</web:pool>
<web:destination-jndi-name>A</web:destination-jndi-name>
<web:connection-factory-jndi-name>FConf</web:connection-factory-jndi-name>
</web:message-driven-descriptor>
<web:transaction-descriptor>
<web:trans-timeout-seconds>600</web:trans-timeout-seconds>
</web:transaction-descriptor>
<web:resource-description>
<web:res-ref-name>jms/ConnectionFactory</web:res-ref-name>
<web:jndi-name>FConf</web:jndi-name>
</web:resource-description>
<web:resource-description>
<web:res-ref-name>jms/QueueName</web:res-ref-name>
<web:jndi-name>A</web:jndi-name>
</web:resource-description>
</web:weblogic-enterprise-bean>
</web:weblogic-ejb-jar>


    


Advertisements

About atheek

I am a Weblogic consultant working in Middleware/Integration area.
This entry was posted in JMS, OSB, Weblogic and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s