WebSphere Message Broker, Version 8.0.0.7 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Message flow security overview

WebSphere® Message Broker provides a security manager, which enables you to control access to individual messages in a message flow, using the identity of the message.

You can configure the broker to perform end-to-end processing of an identity carried in a message through a message flow. This capability enables you to configure security for a message flow, allowing you to control access based on the identity associated with the message and providing a security mechanism that is independent of both transport type and message format.

If you do not enable message flow security, the default security facilities in WebSphere Message Broker are based on the facilities provided by the transport mechanism. In this case, the broker processes all messages that are delivered to it, using the broker service identity as a proxy identity for all message instances. Any identity that is present in the incoming message is ignored.

Instead of delegating this authority to the transport mechanism, the security manager enables the broker to:
  • Extract the identity from an inbound message
  • Authenticate the identity (using an external security provider)
  • Map the identity to an alternative identity (using an external security provider)
  • Check that either the alternative identity or the original identity is authorized to access the message flow (using an external security provider)
  • Propagate either the alternative identity or the original identity with an outbound message.
The security functions that are associated with a message flow are controlled by using Security profiles, which are created by the broker administrator and accessed by the security manager at run time. The following external security providers (also known as Policy Decision Points or PDPs) are supported:
  • WS-Trust V1.3 compliant security token servers (including TFIM V6.2) for authentication, mapping, and authorization
  • Tivoli® Federated Identity Manager (TFIM) V6.1 for authentication, mapping, and authorization
  • Lightweight Directory Access Protocol (LDAP) for authentication and authorization

You can invoke message flow security by configuring either a security enabled input node or a SecurityPEP node. The SecurityPEP node enables you to invoke the message flow security manager at any point in the message flow between an input node and an output (or request) node.

For an overview of the sequence of events that occur when the message flow security manager is invoked using either a security enabled input node or a SecurityPEP node, see the following topics:
The input nodes that support message flow security are:
  • MQInput
  • HTTPInput
  • SCAInput
  • SCAAsyncResponse
  • SOAPInput
However, the support for treating security exceptions as normal exceptions is provided by only the MQInput, HTTPInput, SCAInput, and SCAAsyncResponse nodes; it is not available in the SOAPInput node.
The output nodes that support identity propagation are:
  • MQOutput
  • HTTPRequest
  • SCARequest
  • SCAAsyncRequest
  • SOAPRequest
  • SOAPAsyncRequest

If the message flow is a Web Service that is implemented by using the SOAP nodes, the identity can be taken from the WS-Security header tokens that are defined through appropriate Policy sets and bindings.

To improve performance, the authentication, authorization, and mapping information from the configured providers is cached for reuse. You can use the mqsireloadsecurity command to reload the security cache, and you can use the mqsichangeproperties command to set the expiry and sweep intervals for the security cache.

For a SOAPRequest and SOAPAsyncRequest node, an appropriate policy set and bindings can be defined to specify how the token is placed in the WS-Security header (rather than the underlying transport headers). For more information, see Policy sets.

The following topics in this section provide more detailed information about message flow security:

Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2016Copyright IBM Corporation 1999, 2016.

        
        Last updated:
        
        Last updated: 2016-05-23 14:47:24


Concept topicConcept topic | Version 8.0.0.7 | ap04090_