This section introduces the concepts related to message flow security. You can configure the broker to perform end to end processing of an identity carried in a message through a message flow. This enables you to configure security at flow level to control access based on the identity flowed in a message, and to provide a security mechanism that is both transport independent and message format independent.
The actions taken for a given message flow are controlled using security profiles, which are created by the broker administrator and are accessed by the security manager at runtime. In Version 6.1 two external security providers are supported: LDAP for authentication and authorization, and TFIM for authentication, mapping and authorization.
The input nodes that support runtime security in WebSphere Message Broker Version 6.1 are MQInput, HTTPInput, and SOAPInput.
When a message arrives at an input node, a security profile is used to indicate whether runtime security is configured. The broker’s security manager is called to read the profile, which specifies the combination of authentication, authorization and mapping to be performed with the identity of the message. It also specifies the external security provider to be used.
The security manager extracts the identity information from the input message and sets it in a group of new elements in the Properties folder. This ‘source’ identity information could be in a message header or in the message body itself, or a mixture of the two.
If authentication was specified in the security profile, the security manager calls the provider to authenticate the identity. A failure results in a SecurityException being thrown. Supported providers in Version 6.1 are LDAP and TFIM.
If identity mapping was specified in the security profile, the security manager calls the provider to map the identity to an alternative identity. A failure results in a SecurityException being thrown. Otherwise, the ‘mapped’ identity information is set in a group of new elements in the Properties folder. The supported provider in Version 6.1 is TFIM.
If authorization was specified in the security profile, the security manager calls the provider to authorize that the identity has access to this message flow. A failure results in a SecurityException being thrown. Supported providers in Version 6.1 are LDAP and TFIM.
When all security processing is complete, control returns to the input node.
The message, including the Properties folder and its source and mapped identity information, is propagated down the flow.
At subsequent nodes in the flow, an identity might need to be used to access a resource such as a database. The identity used to access such a resource continues to be a proxy identity, either the broker’s identity or an identity configured using the mqsisetdbparms command.
The resource is accessed using the appropriate proxy identity.
When the message reaches an output node, a security profile is used to indicate whether an identity is to be propagated when the message is sent. The output nodes that support identity propagation in Version 6.1 are MQOutput, HTTPRequest, SOAPRequest and SOAPAsyncRequest.
If the security profile indicates that propagation is required, the mapped identity is used, or if that is not set, the source identity is used. If no identity is set a SecurityException is thrown.
Any propagated identity is included in the appropriate message header when it is sent. To improve performance, the authentication, authorization and mapping information from the configured providers is cached for reuse. You can use the mqsireloadsecurity command to set the expiry interval for the cache
The following topics in this section provide more detailed information about message flow security: