JMS Provider Security Aspects 
The JMS connection factories are obtained using JNDI.
A JMS connection can be created from the connection factory either with a user name and password, or with no parameters.
- In case a user name and password are provided, a validation check will be performed if the password matches the user. If not, the call will fail. If the check is successful, all subsequent JMS permission checks will be done for the specified user.
- In case a connection is created without specifying the user name and password, all subsequent JMS permission checks will be done for the anonymous user.
Note that in both cases no logon is performed, only JMS permission checks are done for the respective user.
Configuration |
Description |
service.jms.<jms-instance-name>.authorization |
Contains the security settings for the JMS provider. The JMS provider defines two security roles: ● administrators – references the preconfigured security role administrators of the policy configuration SAP-J2EE-Engine. · clients – references the preconfigured security role guests of the policy configuration SAP-J2EE-Engine. By default, the two roles administrators and clients are granted permission for all actions. |
service.jms.<jms-instance-name>.authorization defines the following resources:
Resource |
Actions |
Description |
queue |
consumer produce browse |
There is an instance of this resource for each non-temporary queue. |
topic |
consumer produce browse |
There is an instance of this resource for each non-temporary topic. |
temporaryQueue |
consumer produce browse |
There is an instance of this resource for each temporary queue. |
temporaryTopic |
consumer produce browse |
There is an instance of this resource for each temporary topic. |
administration |
create_temporary_topic create_temporary_queue create_topic create_queue create_subscription remove_topic remove_queue remove_subscription |
The resource for administrative tasks. |
These policy configurations are configured by the Security Provider service.
For more information,
see 
Managing
Policy Configurations.
Communication Protocols and Ports
The JMS provider differentiates between internal and external communication.
● JMS internal communication is communication that takes place within the J2EE Engine cluster. Therefore, for internal communication, both JMS and the application operate in the same runtime and therefore no extra security is necessary.
...
●
External
communication takes place using an SAP-proprietary binary format. The port
used is obtained from the dispatcher. The default port is 5<instance
id>10, however, you can change this port in the server port
definitions. The protocol used for JMS can only be transferred using this
port. When communicating over network boundaries, this port must be opened on
the firewall. For more information, see J2EE Engine Ports.
No encryption is available on the JMS communication.
Data Storage
Configuration data and user data (messages) are stored in the database and underlie the database protection mechanisms.