Data integrity in IBM MQ
We can use a data integrity service to detect whether a message has been modified.
Data integrity can be ensured in an IBM MQ environment as follows:
- We can use TLS to detect whether the contents of a message have been deliberately modified while it was being transmitted over a network. In TLS, the message digest algorithm provides detection of modified messages in transit.
All IBM MQ CipherSpecs provide a message digest algorithm, except for TLS_RSA_WITH_NULL_NULL, which does not provide message data integrity.
IBM MQ detects modified messages upon receiving them; on receiving a modified message, IBM MQ throws an AMQ9661 error message and the channel stops.
- While messages are stored on a local queue, the access control mechanisms provided by IBM MQ might be considered sufficient to prevent deliberate modification of the contents of the messages.
However, for a greater level of security, we can use Advanced Message Security to detect whether the contents of a message have been deliberately modified between the time the message was put on the queue and the time it was retrieved from the queue.
Upon detecting a modified message, the application attempting to receive the message receives a 2063 return code and, if using an MQGET call, the message is moved to the SYSTEM.PROTECTION.ERROR.QUEUE
Parent topic: IBM MQ security mechanisms
Related concepts