The security of messages and business data on a system is critical, from
the moment they leave a source adapter, through their journey into the
InterChange Server, right up until they reach a destination adapter.
Critical to any secure system is end point verification. The IBM
WebSphere InterChange Server provides security at each end point of the
information flow, ensuring that your information is secure from
end-to-end.
Most business communication in InterChange Server is transported over
asynchronous systems such as JMS and MQ Series, causing messages to be stored
on disk at the queue manager while they wait for processing. End-to-end
privacy ensures that these messages are secured at this level.
In order to use end-to-end privacy to protect your messages, you must
activate it in the appropriate configuration file. End-to-end privacy
can be turned on or off for each individual adapter.
It is important to note that the configuration of end-to-end privacy using
System Manager will only effect the messages from InterChange Server tothe
adapter, while the configuration of the adapter using Connection Configurator
will only effect the message from the adapter to InterChange Server.
- Note:
- For in-depth information on end-to-end privacy concepts and functionality,
refer to the Technical Introduction to IBM WebSphere InterChange
Server.
This section covers the following topics:
"Steps for activating end-to-end privacy using System Manager"
"Steps for activating end-to-end privacy using Connection Configurator"
"Steps for changing the privacy configuration using System Manager"
"Steps for changing the privacy configuration using Connection Configurator"
"Administering keys and keystores"
Perform the following steps to activate end-to-end privacy using System
Manager:
- On the Privacy tab, enter the path to the keystore. For additional
information on keystores, see Administering keys and keystores.
- Enter the password for the keystore.
- To import a specific privacy setting, select the Import Privacy Setting
button and select one of the available connectors. This loads the
privacy configuration specified by the specific connector's configuration
file.
- To set a general privacy setting, select a message type from the drop down
list. Available choices are:
- Select a security level from the drop down list. Available choices
are:
- None
- Privacy
- Integrity
- Integrity plus Privacy
- Select a destination for the messages, for example, System Test Connector
or Destination Connector. This is an optional distinction used only
when end-to-end privacy has been set for the specific connector.
- To set a privacy setting for an individual business object, enter the name
of the business object or select a business object from the available
list.
- Select a security level from the drop down list. Available choices
are:
- None
- Privacy
- Integrity
- Integrity plus Privacy
- Select a destination for the messages, for example, System Test Connector
or Destination Connector. This is an optional distinction used only
when end-to-end privacy has been set for the specific connector.
Perform the following steps to activate end-to-end privacy:
- On the Connector Configurator tab, select the Support tab.
- From the listing, select the drop down list under the Privacy heading to
assign the appropriate privacy level for each individual business
object.Available choices are:
- None
- Privacy
- Integrity
- Integrity plus Privacy
- Save your connection configuration to activate the privacy
settings.
Perform the following steps to change the end-to-end privacy parameter
using System Manager:
- On the Privacy tab, update the following information:
- Keystore path
- Keystore password
- General privacy settings
- Individual business object privacy settings
Perform the following steps to change the end-to-end privacy parameter
using Connection Configurator:
- On the Security tab, update the privacy setting for any individual
business object.
- Save your connector configuration.
A keystore is a password protected file used to securely store the public
and private keys used for privacy verification. A keystore is present
for the server, as well as for each individual adapter. The IBM
WebSphere InterChange Server contains an InterChange Server private and public
keystore, as well as the public keys of each adapter. Each individual
adapter keystore contains the adapter private and public keystore, as well as
the public key of the InterChange Server.
The full path to the keystore and the applicable password, which is
encrypted during startup, is contained in the configuration file. The
password for the private key should be identical to the password for the
keystore.
Perform the following steps to create the keys and keystores using the
graphical unterface provided with the connector configurator:
- On the Connector Configurator screen, select the Security tab. From
this tab, you can turn on end-to-end privacy, set your privacy levels,
maintain keys and set adapter access control.
- Select the Generate Keys button. The Generate Keys screen
displays.
- Enter the following information to complete the key building
process:
- Certificate association
- Generation algorithm
- Output keystore
- Keystore password
- Private key password
- Any additional key options
- Enter one of the following pieces of information. Only one is
required to build the key:
- Common name for the key
- Organization unit
- Organization name
- Locality name
- State name
- Country name
- Select the OK button to save the key information.
Perform the following steps to create the keys and keystores using the
keytool:
- Open the keytool found in the JDK_HOME/bin directory.
- Create a public and private key entry for the server by entering the
following command line, where name equals the keystore name,
password equals the keystore password and
IC.keystore equals the keystore file name:
keytool -genkey -alias name -keyalg RSA -keypass password -storepass
password -keystore IC.keystore
- Export the public key of the server to a file by entering the following
command line:
keytool -export -alias name -storepass password -file IC.cer
-keystore IC.keystore
- Note:
- The adapter agent will import the IC.cer file when it imports the
public key of the server into it's keystore.
- Create a public and private key entry for the adapter agent by entering
the following command line, where connectorname equals the keystore
name, password equals the keystore password and
Adapter.keystore equals the keystore file name:
keytool -genkey -alias connectorname -keyalg RSA -keypass password
-storepass password -keystore Adapter.keystore
- Export the public key of the adapter to a file by entering the following
command line:
keytool -export -alias connectorname -storepass password -file
Adapter.cer -keystore Adapter.keystore
- Turn on privacy settings by importing the key for the adapter agent into
the server keystore by entering the following command line:
keytool -import -v -trustcacerts - alias connectorname -storepass
password -file Adapter.cer -keystore IC.keystore
- Import the server's public key into the adapter agent's keystore
by entering the following command line:
keytool -import -v -trustcacerts - alias
connectorname.queue.manager -storepass password -file
IC.cer -keystore Adapter.keystore
Perform the following steps to export the adapter public key:
- On the Connector Configurator screen, select the Security tab.
- Select the Export Adapter Public Key button.
- On the Export Adapter Public Key screen, enter the following
information:
- Output certificate
- Input keystore
- Keystore password
- Certificate association
- Any additional key options
- Select the Ok button to export the adapter key.
Perform the following steps to import the server public key:
- On the Connector Configurator screen, select the Security tab.
- Select the Import Server Public Key button.
- On the Import Server Public Key screen, enter the following
information:
- Output keystore
- Input certificate
- Keystore password
- Private key password
- Certificate association
- Any additional key options
- Select the Ok button to import the server key.
