Data integrity of messages

To maintain data integrity, we can use various types of user exit program to provide message digests or digital signatures for the messages.


Data integrity

    Implement data integrity in messages
    When we use TLS, your choice of CipherSpec determines the level of data integrity in the enterprise. If we use the IBM MQ Advanced Message Service (AMS) we can specify the integrity for a unique message.

    Implement data integrity in message exits

    A message can be digitally signed by a message exit at the sending end of a channel. The digital signature can then be checked by a message exit at the receiving end of a channel to detect whether the message has been deliberately modified.

    Some protection can be provided by using a message digest instead of a digital signature. A message digest might be effective against casual or indiscriminate tampering, but it does not prevent the more informed individual from changing or replacing the message, and generating a completely new digest for it. This is particularly true if the algorithm that is used to generate the message digest is a well known one.

    Implement data integrity in send and receive exits
    On a message channel, message exits are more appropriate for providing this service because a message exit has access to a whole message. On an MQI channel, parameters on MQI calls might contain application data that needs to be protected and only send and receive exits can provide this protection.

    Implement data integrity in the API exit or API-crossing exit

    A message can be digitally signed by an API or API-crossing exit when the message is put by the sending application. The digital signature can then be checked by a second exit when the message is retrieved by the receiving application to detect whether the message has been deliberately modified.

    Some protection can be provided by using a message digest instead of a digital signature. A message digest might be effective against casual or indiscriminate tampering, but it does not prevent the more informed individual from changing or replacing the message, and generating a completely new digest for it. This is particularly true if the algorithm that is used to generate the message digest is a well known one,


Further information

See the section on Enable CipherSpecs for more information on ensuring data integrity.

Parent topic: Securing IBM MQ


Related information