Non-repudiation
In addition to specifying a quality of protection, the protected object
policy for a queue specifies the audit level for the queue. The audit level
can be one of the following:
- all
- Access Manager for Business Integration generates an audit record for each MQOPEN, MQGET, MQPUT, MQPUT1,
and MQCLOSE call on a protected queue.
- none
- Access Manager for Business Integration generates no audit records for MQI calls.
Although these audit levels are available on all platforms, additional
ones are available for use withAccess Manager for Business Integration on AIX(R), Solaris, HP/UX, Linux(R) Intel(R) and Windows 2000/2003/XP:
- permit
- Records only successful access to Tivoli(R) Access Manager for Business Integration-protected
resources
- deny
- Records only denied requests for access to Tivoli Access Manager for Business Integration-protected
resources
- admin
- Records OPEN, CLOSE, PUT, and GET operations on protected IBM(R) WebSphere(R) MQ queues
- error
- Records any unsuccessful GET operations which result in messages being
sent to the error handling queue.
When an application gets a message from a queue, the audit record for the
MQGET call includes the following information:
- The date and time of the MQGET call
- The name of the queue from which the message was retrieved
- The name of the queue manager that owns the queue
- Whether the MQGET call completed successfully
- The message digest algorithm that was used to create the digital signature,
if the message was signed
- The Distinguished Name of the sender of the message
- The contents of the MsgId field in the message
descriptor of the message
- The contents of the Format field in the message
descriptor of the message
Although the audit record contains some information about the message,
who sent it, and where and when it was received, other evidence that might
be used to provide a non-repudiation service with proof of origin is not recorded.
In particular, the audit record does not contain:
- The digital certificate of the sender
- The digital signature of the sender
- The original message