Start of change
WebSphere Message Brokers
File: ap04090_
Writer: Stephanie J Strugnell

Concept topic

This build: July 31, 2007 21:34:47

Message flow security

This section introduces the concepts related to message flow security. You can configure the broker to perform end to end processing of an identity carried in a message through a message flow. This enables you to configure security at flow level to control access based on the identity flowed in a message, and to provide a security mechanism that is both transport independent and message format independent.

WebSphere Message Broker Version 6.1 supports ‘runtime’ security, and provides a security manager. The security manager enables access to message flows to be controlled on a per message basis using the identity of the message. Instead of delegating this authority to the transport or to an external security manager, the broker can:

The actions taken for a given message flow are controlled using security profiles, which are created by the broker administrator and are accessed by the security manager at runtime. In Version 6.1 two external security providers are supported: LDAP for authentication and authorization, and TFIM for authentication, mapping and authorization.

The input nodes that support runtime security in WebSphere Message Broker Version 6.1 are MQInput, HTTPInput, and SOAPInput.

When a message arrives at an input node, a security profile is used to indicate whether runtime security is configured. The broker’s security manager is called to read the profile, which specifies the combination of authentication, authorization and mapping to be performed with the identity of the message. It also specifies the external security provider to be used.

The security manager extracts the identity information from the input message and sets it in a group of new elements in the Properties folder. This ‘source’ identity information could be in a message header or in the message body itself, or a mixture of the two.

If authentication was specified in the security profile, the security manager calls the provider to authenticate the identity. A failure results in a SecurityException being thrown. Supported providers in Version 6.1 are LDAP and TFIM.

If identity mapping was specified in the security profile, the security manager calls the provider to map the identity to an alternative identity. A failure results in a SecurityException being thrown. Otherwise, the ‘mapped’ identity information is set in a group of new elements in the Properties folder. The supported provider in Version 6.1 is TFIM.

If authorization was specified in the security profile, the security manager calls the provider to authorize that the identity has access to this message flow. A failure results in a SecurityException being thrown. Supported providers in Version 6.1 are LDAP and TFIM.

When all security processing is complete, control returns to the input node.

The message, including the Properties folder and its source and mapped identity information, is propagated down the flow.

At subsequent nodes in the flow, an identity might need to be used to access a resource such as a database. The identity used to access such a resource continues to be a proxy identity, either the broker’s identity or an identity configured using the mqsisetdbparms command.

The resource is accessed using the appropriate proxy identity.

When the message reaches an output node, a security profile is used to indicate whether an identity is to be propagated when the message is sent. The output nodes that support identity propagation in Version 6.1 are MQOutput, HTTPRequest, SOAPRequest and SOAPAsyncRequest.

If the security profile indicates that propagation is required, the mapped identity is used, or if that is not set, the source identity is used. If no identity is set a SecurityException is thrown.

Any propagated identity is included in the appropriate message header when it is sent. To improve performance, the authentication, authorization and mapping information from the configured providers is cached for reuse. You can use the mqsireloadsecurity command to set the expiry interval for the cache

The following topics in this section provide more detailed information about message flow security:

Related concepts
Identity
Authentication
Identity mapping
Authorization
Identity propagation
Security profiles
Security exception processing
Message flow security
Related tasks
Configuring identity
Configuring a security profile
Creating a security profile for LDAP
Configuring authentication
Configuring identity mapping
Configuring authorization
Configuring a message flow for identity propagation
Related reference
mqsicreateconfigurableservice command
mqsideleteconfigurableservice command
mqsichangeproperties command
mqsireportproperties command
MQInput node
HTTPInput node
HTTPRequest node
MQOutput node
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:34:47

ap04090_ This topic's URL is:
End of change