Administering end-to-end privacy

The security of messages and business data on a system is critical, from the moment they leave a source adapter, through their journey into the InterChange Server, right up until they reach a destination adapter. Critical to any secure system is end point verification. The IBM WebSphere InterChange Server provides security at each end point of the information flow, ensuring that your information is secure from end-to-end.

Most business communication in InterChange Server is transported over asynchronous systems such as JMS and MQ Series, causing messages to be stored on disk at the queue manager while they wait for processing. End-to-end privacy ensures that these messages are secured at this level.

In order to use end-to-end privacy to protect your messages, you must activate it in the appropriate configuration file. End-to-end privacy can be turned on or off for each individual adapter.

It is important to note that the configuration of end-to-end privacy using System Manager will only effect the messages from InterChange Server tothe adapter, while the configuration of the adapter using Connection Configurator will only effect the message from the adapter to InterChange Server.

Note:
For in-depth information on end-to-end privacy concepts and functionality, refer to the Technical Introduction to IBM WebSphere InterChange Server.

This section covers the following topics:

"Steps for activating end-to-end privacy using System Manager"

"Steps for activating end-to-end privacy using Connection Configurator"

"Steps for changing the privacy configuration using System Manager"

"Steps for changing the privacy configuration using Connection Configurator"

"Administering keys and keystores"

Steps for activating end-to-end privacy using System Manager

Perform the following steps to activate end-to-end privacy using System Manager:

  1. On the Privacy tab, enter the path to the keystore. For additional information on keystores, see Administering keys and keystores.
  2. Enter the password for the keystore.
  3. To import a specific privacy setting, select the Import Privacy Setting button and select one of the available connectors. This loads the privacy configuration specified by the specific connector's configuration file.
  4. To set a general privacy setting, select a message type from the drop down list. Available choices are:
  5. Select a security level from the drop down list. Available choices are:
  6. Select a destination for the messages, for example, System Test Connector or Destination Connector. This is an optional distinction used only when end-to-end privacy has been set for the specific connector.
  7. To set a privacy setting for an individual business object, enter the name of the business object or select a business object from the available list.
  8. Select a security level from the drop down list. Available choices are:
  9. Select a destination for the messages, for example, System Test Connector or Destination Connector. This is an optional distinction used only when end-to-end privacy has been set for the specific connector.

Steps for activating end-to-end privacy using Connection Configurator

Perform the following steps to activate end-to-end privacy:

  1. On the Connector Configurator tab, select the Support tab.
  2. From the listing, select the drop down list under the Privacy heading to assign the appropriate privacy level for each individual business object.Available choices are:
  3. Save your connection configuration to activate the privacy settings.

Steps for changing the privacy configuration using System Manager

Perform the following steps to change the end-to-end privacy parameter using System Manager:

  1. On the Privacy tab, update the following information:

Steps for changing the privacy configuration using Connection Configurator

Perform the following steps to change the end-to-end privacy parameter using Connection Configurator:

  1. On the Security tab, update the privacy setting for any individual business object.
  2. Save your connector configuration.

Administering keys and keystores

A keystore is a password protected file used to securely store the public and private keys used for privacy verification. A keystore is present for the server, as well as for each individual adapter. The IBM WebSphere InterChange Server contains an InterChange Server private and public keystore, as well as the public keys of each adapter. Each individual adapter keystore contains the adapter private and public keystore, as well as the public key of the InterChange Server.

The full path to the keystore and the applicable password, which is encrypted during startup, is contained in the configuration file. The password for the private key should be identical to the password for the keystore.

Steps for creating keys using the connector configurator

Perform the following steps to create the keys and keystores using the graphical unterface provided with the connector configurator:

  1. On the Connector Configurator screen, select the Security tab. From this tab, you can turn on end-to-end privacy, set your privacy levels, maintain keys and set adapter access control.
  2. Select the Generate Keys button. The Generate Keys screen displays.
  3. Enter the following information to complete the key building process:
  4. Enter one of the following pieces of information. Only one is required to build the key:
  5. Select the OK button to save the key information.

Steps for creating keys using the keytool

Perform the following steps to create the keys and keystores using the keytool:

  1. Open the keytool found in the JDK_HOME/bin directory.
  2. Create a public and private key entry for the server by entering the following command line, where name equals the keystore name, password equals the keystore password and IC.keystore equals the keystore file name:


    keytool -genkey -alias name -keyalg RSA -keypass password -storepass password -keystore IC.keystore

  3. Export the public key of the server to a file by entering the following command line:


    keytool -export -alias name -storepass password -file IC.cer -keystore IC.keystore

    Note:
    The adapter agent will import the IC.cer file when it imports the public key of the server into it's keystore.
  4. Create a public and private key entry for the adapter agent by entering the following command line, where connectorname equals the keystore name, password equals the keystore password and Adapter.keystore equals the keystore file name:


    keytool -genkey -alias connectorname -keyalg RSA -keypass password -storepass password -keystore Adapter.keystore

  5. Export the public key of the adapter to a file by entering the following command line:


    keytool -export -alias connectorname -storepass password -file Adapter.cer -keystore Adapter.keystore

  6. Turn on privacy settings by importing the key for the adapter agent into the server keystore by entering the following command line:


    keytool -import -v -trustcacerts - alias connectorname -storepass password -file Adapter.cer -keystore IC.keystore

  7. Import the server's public key into the adapter agent's keystore by entering the following command line:


    keytool -import -v -trustcacerts - alias connectorname.queue.manager -storepass password -file IC.cer -keystore Adapter.keystore

Steps for exporting the adapter public key

Perform the following steps to export the adapter public key:

  1. On the Connector Configurator screen, select the Security tab.
  2. Select the Export Adapter Public Key button.
  3. On the Export Adapter Public Key screen, enter the following information:
  4. Select the Ok button to export the adapter key.

Steps for importing the server public key

Perform the following steps to import the server public key:

  1. On the Connector Configurator screen, select the Security tab.
  2. Select the Import Server Public Key button.
  3. On the Import Server Public Key screen, enter the following information:
  4. Select the Ok button to import the server key.

Copyright IBM Corp. 1997, 2004