Security in IBM MQ

In IBM MQ, there are several methods of providing security: the authorization service interface; user-written, or third party, channel exits; channel security using Transport Layer Security (TLS), channel authentication records, and message security.

Authorization service interface

Authorization for using MQI calls, commands, and access to objects is provided by the object authority manager (OAM), which by default is enabled. Access to IBM MQ entities is controlled through IBM MQ user groups and the OAM. Administrators can use a command-line interface to grant or revoke authorizations as required.

For more information about creating authorization service components, see Set up security on Windows, UNIX and Linux systems.

User-written or third party channel exits

Channels can use user-written or third party channel exits. For more information, see Channel-exit programs for messaging channels.

Channel security using TLS

The Transport Layer Security (TLS) protocol provides industry-standard channel security, with protection against eavesdropping, tampering, and impersonation.

TLS uses public key and symmetric techniques to provide message confidentiality and integrity and mutual authentication.

For a comprehensive review of security in IBM MQ including detailed information about TLS, see Securing. For an overview of TLS, including pointers to the commands described in this section, see Cryptographic security protocols: TLS.

Channel authentication records

Use channel authentication records to exercise precise control over the access granted to connecting systems at a channel level. For more information, see Channel authentication records.

Message security

Use Advanced Message Security, which is a separately installed and licensed component of IBM MQ, to provide cryptographic protection to messages sent and receive using IBM MQ. See Advanced Message Security.

IBM MQ.NET managed client TLS support
The IBM MQ.NET fully managed client provides Transport Layer Security (TLS) support that is based on the Microsoft.NET SSLStreams kit. This is different from the other IBM MQ clients, which are based on GSKit.