Confidentiality
When an application puts a message on a queue whose quality of protection is specified as privacy, Access Manager for Business Integration encrypts the application data in the message using a randomly generated symmetric key. A copy of the symmetric key is encrypted with the public key of each of the intended receivers of the message. This action ensures that only an intended receiver can decrypt the application data. The intended receivers are specified as extended attributes of the queue in the protected object space.
Access Manager for Business Integration replaces the application data in the message with an Access Manager for Business Integration header followed by a data structure. The data structure conforms to the PKCS #7 cryptographic message syntax standard for signed and enveloped data, and includes:
- The digital certificate of the sender
- The digital signature of the sender
- A copy of the encrypted symmetric key for each of the intended receivers
- The encrypted application data
When an application attempts to get the message from the queue, Access Manager for Business Integration decrypts the symmetric key using the private key of the actual receiver, and then decrypts the application data using the symmetric key. Access Manager for Business Integration also performs the checks for authentication and data integrity that are described in Identification and authentication. A quality of protection of privacy, therefore, implies integrity.
If Access Manager for Business Integration is not able to decrypt the application data for any reason, or if the authentication and data integrity checks fail, the MQGET call fails and the message is not delivered to the application. The message is put on the Access Manager for Business Integration error queue, or on the local dead letter queue if an error queue has not been created.
Access Manager for Business Integration supports five message content encryption algorithms:
We can specify the message content encryption algorithm to be used globally for all queues in the protected object space, but we can override the global selection by specifying a different algorithm for an individual queue. If you do not specify a message content encryption algorithm, STRONG is used by default.
- STRONG
- Triple DES with a 168-bit encryption key
- MEDIUM
- DES with a 56-bit encryption key
- WEAK
- RC2 with a 40-bit encryption key
- AES128
- AES with 128-bit encryption key
- AES256
- AES with 256-bit encryption key
Parent topic:
Access Manager for Business Integration
sy11420_