MQ Security: Access Manager for Business Integration

Access Manager for Business Integration

Access Manager for Business Integration is a separate product, which is not supplied with WebSphere MQ. Access Manager for Business Integration provides application level security services, which protect WebSphere MQ messages while they are stored in queues and while they are flowing across a network. From a single point of control, an administrator can configure and maintain security services to protect WebSphere MQ resources belonging to more than one queue manager.
Access Manager for Business Integration uses Public Key Infrastructure (PKI) technology to provide authentication, confidentiality, and data integrity services for messages. Access Manager for Business Integration has its own access control lists to control who can gain access to messages that are stored in queues.
WebSphere MQ applications require no modification, recompilation, or relinking in order to implement Access Manager for Business Integration. Security services are invoked by an MQI interceptor that intercepts calls to the MQI. The MQI interceptor might intercept the input parameters of a call, the output parameters of a call, or both.
Access Manager for Business Integration is available on the following platforms:

AIX
Solaris
Windows NT
Windows 2000
z/OS and OS/390

Every queue that is protected by Access Manager for Business Integration is represented in the protected object space. Each queue in the protected object space has an associated access control list, which specifies who can put messages on the queue and who can get messages from the queue. For more information about the access control list, see Access control.
Each queue also has a protected object policy (POP), which specifies the quality of protection (QoP) that is required for the messages that are put on the queue. The quality of protection for a queue can be one of the following:

none

No cryptographic protection is required for the messages in the queue. When a message is put on the queue, no Access Manager for Business Integration header is added to the message. When a message is retrieved from the queue, an Access Manager for Business Integration header is not expected. This quality of protection is appropriate, for example, when messages are being sent to, or arrive from, a queue manager whose queues are not protected by Access Manager for Business Integration.

integrity

The messages in the queue are digitally signed. For more information about this quality of protection, see Identification and authentication and Data integrity.

privacy

The messages in the queue are encrypted and digitally signed. For more information about this quality of protection, see Confidentiality.

The protected object policy also specifies the audit level for the queue. For more information about the audit level, see Non-repudiation.

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.