Messaging security ensures that service integration bus
users are authenticated, resources are protected by security checks,
and messages are secured when they are in transit. Use these topics
to learn how to secure the service integration bus and protect messages
that are sent and received.
Security covers all of the following areas:
- Authenticating and authorizing users that attempt to connect to
a bus, and use its resources.
- Securing communication transports between clients and messaging
engines, and between messaging engines themselves.
- Authenticating peer messaging engines in a bus.
- Protecting the message store with a user identity.
When a bus is created with bus security enabled, the following
conditions apply:
- The bus requires client authentication.
- The bus enforces authorization policy.
- The bus requires use of SSL transport chains.
You can use secure transport connections to ensure the confidentiality
and integrity of messages that are in transit between
application clients, the bus, and between messaging engines. This
is achieved by defining transport chains and then referencing the
transport chain name as follows:
- For application client connections: from the connection factory
administered objects.
- For connections to foreign buses: from the Target inbound transport chain property
of the service integration bus link.
- For connections to WebSphere® MQ:
from the Transport chain property
of the WebSphere MQ link.
- For connections between messaging engines: from the Inter-engine transport chain property
of the bus.
For more information, see
Secure transport configuration requirements.
Note: When a secure
bus is created, only SSL protected messaging chains are permitted.
For example, you can use the InboundSecureMessaging transport chain.
In the routing properties for the service integration bus link
for a foreign bus connection, the user ID applied to messages entering
or leaving the foreign bus can be replaced by values specified by
the Inbound user ID and Outbound user ID properties.
The ability to authenticate access to a foreign bus is provided
by the Authentication alias property
of the service integration bus link. You can specify an authentication
alias at each end of the service integration bus link between two
secure buses when you create each foreign bus connection. The user
ID you specify in the authentication alias on each side of the link
must be the same for authorization purposes. For example, consider
a scenario where two messaging engines are connected by a service
integration bus link. Messaging engine A presents the user ID and
password to messaging engine B so that messaging engine B can authenticate
messaging engine A. For details about creating a foreign bus connection,
and therefore a service integration bus link, see Configuring foreign bus connections.