Introduction

 

Access Manager for Business Integration is a separate product, available from IBM. It is part of WebSphere MQ Extended Security Edition, but is not supplied with the WebSphere MQ base product. Access Manager for Business Integration provides application level security services for both MQ applications and MQ client (C and JMS) applications. These security services protect WebSphere MQ messages while they are stored in queues and while they are flowing across a network. From a single point of control, an administrator can configure and maintain security services to protect WebSphere MQ resources belonging to more than one queue manager and across multiple systems.

Access Manager for Business Integration uses Public Key Infrastructure (PKI) technology to provide authentication, authorization, confidentiality, and data integrity services for messages. Access Manager for Business Integration also provides client channel authentication and authorization services to secure client connections at the channel level.

Access Manager for Business Integration has its own access control lists to control who can gain access to messages that are stored in queues. WebSphere MQ applications require no modification, recompilation, or relinking in order to implement Access Manager for Business Integration. For MQ applications, security services are invoked by Access Manager for Business Integration's API exit implementation. For applications using the MQI C and JMS client API's, security services are invoked by corresponding interceptors, which intercept calls to those APIs.

For client channels, Access Manager for Business Integration provides a security exit at the server side, which allows customers to enforce tight control of what clients are allowed to attach to production servers. Authentication using this security exit requires the presentation of a client certificate and requires the use of an SSL connection between each MQ client and server.

Access Manager for Business Integration is available on the following platforms:

Every queue manager and queue that is protected by Access Manager for Business Integration is represented in the Access Manager protected object space. Each queue manager and queue in the protected object space can have an associated access control list. This list specifies which application or user, represented as an OS ID, can put messages on the queue and get messages from the queue. For more information about the access control list, see Access control.

Each queue can also have a protected object policy (POP), which specifies the quality of protection (QoP) that is required for the messages that are put on the queue. The quality of protection for a queue can be one of the following:

none

No cryptographic protection is required for the messages in the queue. When a message is put on the queue, no Access Manager for Business Integration header is added to the message. When a message is retrieved from the queue, an Access Manager for Business Integration header is not expected. This quality of protection is appropriate, for example, when messages are being sent to, or arrive from, a queue manager whose queues are not protected by Access Manager for Business Integration.

integrity

The messages in the queue are digitally signed. For more information about this quality of protection, see Identification and authentication and Data integrity.

privacy

The messages in the queue are encrypted and digitally signed. For more information about this quality of protection, see Confidentiality.

The protected object policy also specifies the audit level for the queue. For more information about the audit level, see Non-repudiation.

 

Parent topic:

Access Manager for Business Integration


sy11380_