Security considerations for IBM MQ bridge for HTTP

Standard web security considerations apply to authenticating a web browser client. Authorization to IBM MQ resources is at the level of the user running the IBM MQ bridge for HTTP servlet, and not the individual web browser client. Standard IBM MQ security consideration apply to IBM MQ.

Client connection

From the browser to the IBM MQ bridge for HTTP over a TCP/IP connection using HTTP.

Resource adapter connection to IBM MQ

The connection is from the IBM MQ bridge for HTTP to an IBM MQ queue manager. The connection is either a client connection, over TCP/IP, or a local IBM MQ bindings connection. Once the connection is made, the HTTP request is placed on a standard local queue or a transmission queue.

From the IBM MQ local queue over one or more channels, to the target queue.

Apply standard techniques for securing queues, topics, queue managers, and channels.

The reply takes the steps in reverse.

Client connection

Resource adapter connection to IBM MQ

The connection between the resource adapter and queue manager is authorized using only a single user ID. Assign a single user ID to identify requests from the IBM MQ bridge for HTTP. The user ID must have restricted IBM MQ authorizations only to the resources external users must have access. You must authenticate the actual client separately, and establish trust for successive interactions with the client, using standard techniques for web security.

Secure the connection between the resource adapter and the queue manager using the single user ID. Restrict the authorities the user ID has to no more than needed to read and write messages to queues and topics. The IBM MQ bridge for HTTP is a point of attack between the internet and your intranet.

How you secure the connection between your resource adapter and IBM MQ is dependent on your specific resource adapter. Refer to the documentation for the resource adapter.