Network Deployment (Distributed operating systems), v8.0 > Applications > Service integration
Service integration security
Messaging security ensures that service integration bus users are authenticated, resources are protected by security checks, and messages are secured when they are in transit. Use these topics to learn how to secure the service integration bus and protect messages that are sent and received.
Security covers all of the following areas:
- Authenticate and authorizing users that attempt to connect to a bus, and use its resources.
- Secure communication transports between clients and messaging engines, and between messaging engines themselves.
- Authenticate peer messaging engines in a bus.
- Protect the message store with a user identity.
When a bus is created with bus security enabled, the following conditions apply:
- The bus requires client authentication.
- The bus enforces authorization policy.
- The bus requires use of SSL transport chains.
We can use secure transport connections to ensure the confidentiality and integrity of messages that are in transit between application clients, the bus, and between messaging engines. This is achieved by defining transport chains and then referencing the transport chain name as follows:
- For application client connections: from the connection factory administered objects.
- For connections to foreign buses: from the Target inbound transport chain property of the service integration bus link.
- For connections to WebSphere MQ: from the Transport chain property of the WebSphere MQ link.
- For connections between messaging engines: from the Inter-engine transport chain property of the bus.
See Secure transport configuration requirements.
When a secure bus is created, only SSL protected messaging chains are permitted. For example, you can use the InboundSecureMessaging transport chain.
In the routing properties for the service integration bus link for a foreign bus connection, the user ID applied to messages entering or leaving the foreign bus can be replaced by values specified by the Inbound user ID and Outbound user ID properties.
The ability to authenticate access to a foreign bus is provided by the Authentication alias property of the service integration bus link. We can specify an authentication alias at each end of the service integration bus link between two secure buses when you create each foreign bus connection. The user ID you specify in the authentication alias on each side of the link must be the same for authorization purposes. For example, consider a scenario where two messaging engines are connected by a service integration bus link. Messaging engine A presents the user ID and password to messaging engine B so that messaging engine B can authenticate messaging engine A. For details about creating a foreign bus connection, and therefore a service integration bus link, see Configure foreign bus connections.
- Service integration security planning
- Messaging security and multiple security domains
- Messaging security
- Security event logging
- Messaging security audit events
- Client authentication on a service integration bus
- Role-based authorization
- Destination security
- Mediations security
- Topic security
- Access control for multiple buses
- Message security in a service integration bus
Service integration technologies
Mediations
Bus configurations
Interconnected bus configurations
Configurations that include WebSphere MQ
Connect buses