Providing your own application level security

We can provide your own application level security services. To help you implement application level security, IBM MQ provides two exits, the API exit and the API-crossing exit.

The API exit and the API-crossing exit can provide identification and authentication, access control, confidentiality, data integrity, and non-repudiation services, and other functions not related to security.

If the API exit or API-crossing exit is not supported in the system environment, you might want to consider other ways of providing your own application level security. One way is to develop a higher level API that encapsulates the MQI. Programmers then use this API, instead of the MQI, to write IBM MQ applications.

The most common reasons for using a higher level API are:

To hide the more advanced features of the MQI from programmers.
To enforce standards in the use of the MQI.
To add function to the MQI. This additional function can be security services.

Some vendor products use this technique to provide application level security for IBM MQ.

If we are planning to provide security services in this way, note the following regarding data conversion:

If a security token, such as a digital signature, has been added to the application data in a message, any code performing data conversion must be aware of the presence of this token.
A security token might have been derived from a binary image of the application data. Therefore, any checking of the token must be done before converting the data.
If the application data in a message has been encrypted, it must be decrypted before data conversion.

Parent topic: Application level security