Start of Content Area

This graphic is explained in the accompanying text Security on the JMS Service   Locate the document in its SAP Library structure

Security Aspects

The JMS connection factories are obtained using JNDI.

A JMS connection can be created from the connection factory either by providing a user name and password, or with no parameters.

      In case a user name and password are provided, a validation check will be performed if the password matches the user. If not, the call will fail with an exception. If the check is successful, all subsequent JMS permission checks will be performed for the specified user.

      In case a connection is created without specifying a user name and password, all subsequent JMS permission checks will be performed for the anonymous user.

Note

In both cases, no login is performed – only JMS permission checks are performed for the respective user.

Security Roles of the JMS Policy Configuration

Configuration

Description

service.jms.<jms-instance-name>. authorization

 

Contains the security settings for the JMS Provider. The JMS Provider defines two security roles:

      administrators – references the preconfigured security role administrators of the policy configuration SAP-J2EE-Engine.

      clients – references the preconfigured security role guests of the policy configuration SAP-J2EE-Engine.

By default, the two roles administrators and clients are granted permissions for all actions.

service.jms.<jms-instance-name>.authorization defines the following resources:

Resources Defined by the JMS Policy Configuration

Resource

Actions

Description

queue

consumer

produce

browse

There is an instance of this resource for each non-temporary queue.

topic

consumer

produce

browse

There is an instance of this resource for each non-temporary topic.

temporaryQueue

consumer

produce

browse

There is an instance of this resource for each temporary queue.

temporaryTopic

consumer

produce

browse

There is an instance of this resource for each temporary topic.

administration

create_temporary_topic

create_temporary_queue

create_topic

create_queue

create_subscription

remove_topic

remove_queue

remove_subscription

The resource for administrative tasks.

Note

These policy configurations are configured by the Security Provider service. For more information, see Managing User Stores Using the Visual Administrator.

Communication Protocols and Ports

The JMS Provider differentiates between internal and external communication.

      JMS internal communication is communication that takes place within the J2EE Engine cluster. Therefore, for internal communication, both the JMS and the application operate in the same runtime and therefore no extra security is necessary.

      JMS external communication takes place using an SAP-proprietary binary format. The port used is obtained from the dispatcher. The default port is 5<instance_id>10, however, you can change this port in the server port definitions. The protocol used for JMS can only be transferred using this port. When communicating over network boundaries, this port must be opened on the firewall.

Caution

No encryption is available on the JMS communication.

Data Storage

Configuration data and user data (messages) are stored in the database and underlie the database protection mechanisms.

 

End of Content Area