IBM Integration Bus, Version 10.0.0.0 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


Administration security overview

Administration security controls users' permissions to access an integration node and its resources, and to complete administrative tasks.

Administration security is an optional feature of the integration node; it is not enabled by default. You can enable administration security and select the required authorization mode by using the mqsichangefileauth command. For more information, see Enabling administration security.

You can control access to integration node resources through the web user interface and REST application programming interface (API) by associating web users with roles. A role is a set of security permissions that control access to an integration node and its resources, and each web user account is associated with a particular role. The permissions are checked to determine a web user's authorization to perform tasks in the web user interface or the REST application programming interface (API). For more information about roles, see Role-based security, and for information about how to create and assign roles to web users, see Managing web user accounts.

The following aspects of administration security are supported by IBM® Integration Bus:

Authentication

Authentication is the process of establishing the identity of a user or system and verifying that the identity is valid. IBM Integration Bus provides authentication support for the following administration interfaces:

For commands that are run locally, and for a locally connected Toolkit, the system user ID that is running the command or the Toolkit is passed to the integration node, where it is used as a pre-authenticated system user or role name.

For more information about the authentication support provided by IBM Integration Bus, see Authenticating users for administration.

Authorization

Authorization is the process of controlling users' access to resources, by verifying that they have the required permissions to carry out the requested actions against the specified resources.

When administration security is enabled, you can control users' access to the integration node and its resources, by setting permissions that allow user IDs associated with specified roles to perform actions on specified resources. The integration node checks the authorizations when it receives a request to view or change its properties or resources. If the user ID associated with the request is not authorized, the integration node refuses the request. Permissions are checked for all actions performed by users of the following interfaces:

Users of the web user interface and the IBM Integration Toolkit who do not have read, write, and execute permissions for the integration node or integration servers, have only restricted access to those resources. An icon is displayed against each resource to indicate that user authority is restricted. The actions that the user can request against a resource are determined by the restricted authority that is in place for that user.

When a user connects to the web user interface or the IBM Integration Toolkit, the displayed resources and their available actions are determined by the current permissions assigned to the user's role. If the permissions are changed during the session, the displayed resources and actions are not updated. However, the permissions are checked each time the user requests an action or attempts to expand the properties of a resource in the interface. As a result, if a permission has been removed since the session began, the user is still able to request the action, but the request fails as a result of being unauthorized. When the user reconnects and starts a new session, the icon representing the action is no longer displayed. When additional permissions are granted, the user must log out and start a new session so that the additional action icons are displayed in the interface.

For a custom integration application connecting to BrokerProxy object, the set of objects that can be obtained is determined at connection time. The connection should be reestablished following a change in permissions, but each action is authorized against the current permissions, so the application must be able to handle return codes resulting from unauthorized requests.

Two modes of authorization are provided in IBM Integration Bus, and you use the mqsichangeauthmode command to enable administration security for the integration node and to specify the required authorization mode:
File-based authorization (file mode)
File-based authorization (mq mode) is selected by default if there is no queue manager specified on the integration node.

If an integration node is configured to use file-based authorization, you can grant permissions to a role by using the -r role parameter of the mqsichangefileauth command. For more information, see Role-based security and Setting file-based permissions.

If no permission is found for the role name, a check is conducted to see if the name matches a system user ID, and if that system user is a member of the mqbrkrs group, full permissions are given.

Queue-based authorization (mq mode)
Queue-based authorization (mq mode) is selected by default if WebSphere® MQ Server is installed and a queue manager is specified on the integration node.
If the queue-based mode of administration security is set for the integration node, you specify permissions on authorization queues, which are defined on the queue manager that is specified on the integration node:
  • SYSTEM.BROKER.AUTH. This queue represents the integration node and its properties. Only one queue exists of this name for each integration node. This queue is defined as a local queue.
  • One SYSTEM.BROKER.AUTH.EG for each integration server that you define on the integration node, where EG is the name of the integration server. These queues are defined as alias queues.

Read, write, and execute authorities are granted automatically to the user group mqbrkrs on the SYSTEM.BROKER.AUTH queue.

When you create an integration server on an integration node for which you have enabled security, the integration server authorization queue SYSTEM.BROKER.AUTH.EG is created, where EG is the name of the integration server. Read, write, and execute authorities are automatically granted to the user group mqbrkrs on this queue.

If the integration node is configured to use queue-based authorization, you must create a system user ID on the operating system on which your integration node is running. You then assign permissions to the system user ID, and this set of permissions represents a role with a name that corresponds to the name of the system user ID. For example, the set of permissions that you define for a system user called ibmuser form a role called ibmuser. For information about setting permissions for queue-based authorization, see Role-based security and Setting queue-based permissions.

For more information about the authorization support provided by IBM Integration Bus, see Authorizing users for administration.

For information about authorization on z/OS®, see Authorization on z/OS.

See the following topics for more information about security permissions:


bp43500_.htm | Last updated 2015-03-27 19:28:33