Identification and authentication
When an application puts a message on a queue whose quality of protection is specified as integrity, Access Manager for Business Integration replaces the application data in the message with an Access Manager for Business Integration header followed by a data structure.
The data structure conforms to the PKCS #7 cryptographic message syntax standard for signed data, and includes:
- The digital certificate of the sender
- The digital signature of the sender
- The original application data
When an application attempts to get the message from the queue, Access Manager for Business Integration performs the following checks:
- The digital certificate is validated by working through the certificate chain to the root CA certificate. This check provides assurance that the sender, identified by the Distinguished Name, is the genuine owner of the public key contained in the certificate.
- The digital signature is checked using the public key contained in the digital certificate. This check authenticates the sender.
If either of these checks fail, or if the message is not signed, the MQGET call fails and the message is not delivered to the application. The message is put on the Access Manager for Business Integration error queue, or on the local dead letter queue if an error queue has not been created.
Access Manager for Business Integration supports three algorithms for generating the message digest that is used to create a digital signature: MD2, MD5, and SHA-1. You can specify the message digest algorithm to be used globally for all queues in the protected object space, but you can override this global selection by specifying a different algorithm for an individual queue. If you do not specify a message digest algorithm, MD2 is used by default.