WebSphere MQ Everyplace provides an integrated set of security features enabling the protection of message data both when held locally and when being transferred.
WebSphere MQ Everyplace provides security under three different categories:
WebSphere MQ Everyplace local and message-level security are used internally by WebSphere MQ Everyplace, but are also made available to WebSphere MQ Everyplace applications. WebSphere MQ Everyplace queue-based security is an internal service.
The WebSphere MQ Everyplace security features of all three categories protect message data by use of an attribute, for example MQeAttribute. Depending on the category, the attribute is applied either externally or internally.
Each attribute can contain the following
These elements are used differently, depending on the WebSphere MQ Everyplace security category, but in all cases the WebSphere MQ Everyplace security feature's protection is applied when the attribute attached to a message is invoked. Chapter 7, Security, of the WebSphere MQ Everyplace Application Programming Guide provides more information on the above elements and Chapter 6, Configuration using administration messages, of the WebSphere MQ Everyplace Configuration Guide describes how to write your own authenticator.
The registry is the main store for queue manager-related information. Each queue manager has at least one registry. Every queue manager uses the registry to hold its:
Registry information is stored using an adapter, usually the MQeDiskFields adapter. Chapter 8, Security, of the WebSphere MQ Everyplace Application Programming Guide provides detailed information on the registry.
This section does not apply to the C codebase.
As every entity needs its own credentials to be authenticated, we need to know:
The private registry enables the secure management of an entity's private credentials, and public registry manages set of public credentials. The private registry provides a base registry with secure or cryptographic token. For example, it can be a secure repository for public elements like mini-certificates, and private elements like private keys.
The private registry allows only authorized users to access the private elements. Normally, only the legitimate queue manager user can access the registry using a PIN. However, configuration options enable you to bypass this if you are not overly concerned with security issues.
The private registry provides support for services, for example digital signature and RSA decryption, in such a way that the private objects never leave the private registry. By providing a common interface, it hides the underlying device support, which currently is restricted to the local file system. Chapter 8, Security, of the WebSphere MQ Everyplace Application Programming Guide provides detailed information on the private registry and credentials.
WebSphere MQ Everyplace provides default services that support auto-registration. These services are automatically triggered when an authenticatable entity is configured, for example when a queue manager is started or when a new queue is defined. In both cases registration is triggered and new credentials are created and stored in the entity's private registry. Therefore, auto-registration provides a simple mechanism to establish credentials for message-level protection.
Auto-registration steps include:
Assuming the mini-certificate server is configured and available, it returns the entity's new mini-certificate, along with its own. These servers and the protected private key are stored in the entity's private registry as its new credentials. Chapter 8, Security, of the WebSphere MQ Everyplace Application Programming Guide provides detailed information on auto-registration.
WebSphere MQ Everyplace provides default services that enable WebSphere MQ Everyplace components to share mini-certificates. The WebSphere MQ Everyplace public registry provides a publicly accessible repository for mini-certificates. This is analogous to the personal telephone directory service on a mobile phone, the difference being that, instead of phone numbers, it is a set of mini-certificates of the authenticatable entities that are the most frequently contacted.
The public registry is not purely passive in its services. If accessed to provide a mini-certificate that it does not hold, and if configured with a valid home-server component, the public registry automatically attempts to fetch the requested mini-certificate from the public registry of the home server. These services can be used to provide an intelligent automated mini-certificate replication service that makes the right mini-certificate available at the right time.
The WebSphere MQ Everyplace queue manager exploits the advantages of using private and public registry services, but access to these services is not restricted. WebSphere MQ Everyplace solutions can define and manage their own entities, such as users. You can then use private registry services to auto-register and manage the credentials of the new entities, and public registry services to make the public credentials available where needed. Chapter 8, Security, of the WebSphere MQ Everyplace Application Programming Guide provides detailed information on how to use registry services.
The ES03 WebSphere MQ Everyplace SupportPac, "Websphere MQ Everyplace WTLS Mini-Certificate Server" is available as a separate free download from http://www.ibm.com/software/mqseries/txppacs/. This software package provides a certificate issuance service for WTLS certificates. You can configure queue manager and queue entities on this certificate issuance server to provide a default mini-certificate issuance service that satisfies private-registry auto-registration requests with the issuance of WTLS certificates. You can use the WebSphere MQ Everyplace certificate issuance service to set up and manage a mini-certificate issuance service to issue mini-certificates to a carefully controlled set of entity names. The characteristics of this issuance service are:
Chapter 8, Security, of the WebSphere MQ Everyplace Application Programming Guide also provides detailed information on issuing mini-certificates. Also, refer to the documentation included in the ES03 SupportPac for more details of how to install and use the WTLS digital certificate issuance service for WebSphere MQ Everyplace.
An optional interface is provided that can be implemented by a custom security manager. The methods allow the security manager to authorize or reject requests associated with: