Configuration

You must configure the administration tool with values for the following three properties:

INITIAL_CONTEXT_FACTORY

This indicates the service provider that the tool uses. There are three explicitly supported values for this property:

com.sun.jndi.ldap.LdapCtxFactory (for LDAP)
com.sun.jndi.fscontext.RefFSContextFactory (for file system context)
com.ibm.websphere.naming.WsnInitialContextFactory (to work with WebSphere Application Server's CosNaming repository)

On z/OS & OS/390, com.ibm.jndi.LDAPCtxFactory is also supported and provides access to an LDAP server. However, note that it is incompatible with com.sun.jndi.ldap.LdapCtxFactory, in that objects created using one InitialContextFactory cannot be read or modified using the other.

You can also use an InitialContextFactory that is not in the list above. See Using an unlisted InitialContextFactory for more details.

PROVIDER_URL

This indicates the URL of the session's initial context, the root of all JNDI operations carried out by the tool. Three forms of this property are currently supported:

ldap://hostname/contextname (for LDAP)
file:[drive:]/pathname (for file system context)
iiop://hostname[:port] /[?TargetContext=ctx] (to access "base" WebSphere Application Server CosNaming namespace)

SECURITY_AUTHENTICATION

This indicates whether JNDI passes over security credentials to your service provider. This property is used only when an LDAP service provider is used. This property can currently take one of three values:

none (anonymous authentication)
simple (simple authentication)
CRAM-MD5 (CRAM-MD5 authentication mechanism)

If a valid value is not supplied, the property defaults to none. See Security for more details about security with the administration tool.

These properties are set in a configuration file. When you invoke the tool, you can specify this configuration by using the -cfg command-line parameter, as described in Invoking the Administration tool. If you do not specify a configuration file name, the tool attempts to load the default configuration file (JMSAdmin.config). It looks for this file first in the current directory, and then in the <MQ_JAVA_INSTALL_PATH>/bin directory, where "<MQ_JAVA_INSTALL_PATH>" is the path to your WebSphere MQ JMS installation.

The configuration file is a plain-text file that consists of a set of key-value pairs, separated by an "=". This is shown in the following example:

#Set the service provider
    INITIAL_CONTEXT_FACTORY=com.sun.jndi.ldap.LdapCtxFactory
#Set the initial context
    PROVIDER_URL=ldap://polaris/o=ibm_us,c=us
#Set the authentication type
    SECURITY_AUTHENTICATION=none

(A "#" in the first column of the line indicates a comment, or a line that is not used.)

The installation comes with a sample configuration file that is called JMSAdmin.config, and is found in the <MQ_JAVA_INSTALL_PATH>/bin directory. Edit this file to suit the setup of your system.

Using an unlisted InitialContextFactory

You can use the administration tool to connect to JNDI contexts other than those listed in Configuration by using three parameters defined in the JMSAdmin configuration file.

To use a different InitialContextFactory:

Set the INITIAL_CONTEXT_FACTORY property to the required class name.
Define the behavior of the InitialContextFactory using the USE_INITIAL_DIR_CONTEXT, NAME_PREFIX and NAME_READABILITY_MARKER properties.

The settings for these properties are described in the sample configuration file comments.

You do not need to define the three properties listed here, if you use one of the supported INITIAL_CONTEXT_FACTORY values. However, you can give them values to override the system defaults. If one or more of the three InitialContextFactory properties is omitted, the administration tool provides suitable defaults based on the values of the other properties.

Security

Administrators need to know about the effect of the SECURITY_AUTHENTICATION property described in Configuration.

If this parameter is set to none, JNDI does not pass any security credentials to the service provider, and "anonymous authentication" is performed.
If the parameter is set to either simple or CRAM-MD5, security credentials are passed through JNDI to the underlying service provider. These security credentials are in the form of a user distinguished name (User DN) and password.

If security credentials are required, then the user will be prompted for these when the tool initializes. This can be avoided by setting the PROVIDER_USERDN and PROVIDER_PASSWORD properties in the JMSAdmin configuration file.

Note:: If you do not use these properties, the text typed, including the password, is echoed to the screen. This may have security implications.

The tool does no authentication itself; the task is delegated to the LDAP server. It is the responsibility of the LDAP server administrator to set up and maintain access privileges to different parts of the directory. If authentication fails, the tool displays an appropriate error message and terminates.

More detailed information about security and JNDI is in the documentation at Sun's Java web site (http://java.sun.com).

Configuring for WebSphere Application Server V3.5

For the administration tool (or any client application that needs to do subsequent lookups) to work with WebSphere Application Server's CosNaming repository, you require the following configuration:

CLASSPATH must include WebSphere Application Server's JNDI-related jar files:
- For WebSphere Application Server V3.5:
```
<WSAppserver>\lib\ujc.jar
```
PATH for WebSphere Application Server V.3.5 must include:
```
<WSAppserver>\jdk\jre\bin
```
where <WSAppserver> is the install path for WebSphere Application Server.