One of the key features of InterChange Server is the ability to authorize
permissions for users accessing the system using roles, known as
role-based access control (RBAC). Roles can
easily be defined by the administrator and assigned to a group of users,
restricting access to key components only to verified users.
Use of RBAC functionality ensures that only an administrator, or users with
permission to administer roles, are allowed to create users and assign
roles. If RBAC is not active on the server, any user can create users
and roles with no verification. Therefore, if you want to use the
server with RBAC on, after the product is installed, have the adminstrator
turn RBAC on. This will prevent any users from turning RBAC on or
editing other fields.
For more information regarding security and role-based access control, see
the Administration Guide.
- Note:
- Security can also be configured using the new parameter -xmsp with
the repos_copy command. For more information on using repos_copy, see Using repos_copy.
Do the following to configure InterChange Server for role-based access
control:
- First create a user with the administrator role. If there is no
user with the administrator role, then even if RBAC is turned on in the
InterChange Server configuration, the server will reboot with RBAC turned
off.
- Click the Security - RBAC tab.
Figure 48 shows the Security - RBAC tab in the System
Manager configuration file editor.
Figure 48. Security tab in System Manager

- Select the Enable RBAC check box.
- In the User registry pull-down menu choose Repository or
LDAP.
If you chose Repository, you must enter the following information in the
Repository details area of the Security - RBAC
tab:
- Database
- Maximum number of connections or select the Unlimited check box
- Max connect retries
- Login
- Password
- Connect retry interval
If you chose LDAP, you must enter the following information in
the LDAP setting area of the Security - RBAC tab:
- LDAP URL
- User name DN
- Password
- Userbase DN, which is the base distinguished name
- User name attribute, which is the attribute in the LDAP schema that
InterChange Server uses as a user name
- Search criteria, to use when retrieving LDAP users
- Maximum number of search returns, which is the maximum number of entries
returned from a search
- SSL, which indicates whether you want a secure connection between
InterChange Server and LDAP
- In the Server start user field, enter the user name that will
start the server.
- In the Server start password field enter the password
associated with the user name.
- To turn on audit settings select the Enable audit check box and
fill in the following fields:
- Audit log directory, which is the path of the audit log file
- Audit log frequency, for example, Daily, Weekly or Monthly
- Audit file size (MB), which is the maximum size for the audit file
For more in-depth information on configuring options for InterChange
Server, refer to the Administration Guide.
End-to-end privacy is a very important feature of InterChange
Server. It allows you to send messages securely from the moment they
leave a source adapter, through InterChange Server, to a destination
adapter.
Critical to any secure system is end point verification. IBM
WebSphere InterChange Server provides security at each end point of the
information flow, ensuring that your information is secure from end to
end.
When business communications to InterChange Server are transported
asynchronously over JMS, messages are stored on disk at the queue manager
while they wait for processing. End-to-end privacy ensures that these
messages are secured at this level.
- Note:
- For in-depth information on end-to-end privacy, refer to the
Administration Guide.
To configure InterChange Server for end-to-end privacy, do the
following:
- Click the Privacy tab.
Figure 49. Privacy tab in System Manager

- Enter the Keystore Path and Keystore Password. (For information on
keystores, refer to the Administration Guide.)
- Click on Import privacy setting and select one of the available
connectors. This loads the privacy configuration for that specific
connector.
You can also set a general privacy setting by doing the following:
- In the General privacy setting area, click on All in
the Message type column. A drop-down list will
appear. Select a message type.
- Click on None in the Security level column.
- Select a destination for the messages by double-clicking in a cell in the
Destination column, for example, System Test Connector or Destination
Connector.
To set a privacy setting for an individual business object, do the
following:
- Enter the name of the business object or select a business object from the
available list in the Name column under Individual
business object setting.
- Select a security level by double-clicking on a cell in the Security
level column and selecting an option from the drop-down list that
appears.
- Select a destination for the messages by double-clicking in a cell in the
Destination column, for example, System Test Connector or
Destination Connector.
For more in-depth information on the options for configuring InterChange
Server for end-to-end privacy, refer to the Administration
Guide.
