Security considerations for service integration buses

There are a number of considerations that apply to service integration buses. Messaging security ensures that users are authenticated, resources are protected by security checks and messages are secure when they are in transit.

This topic describes the key security considerations for service integration buses. For more general information about security issues, see Learning about service integration security.

You can enable bus security so that access to the bus itself and to all destinations on the bus must be authorized. For bus security to be enabled, WebSphere® Application Server global security must also be enabled. Refer to Messaging security for more information.

When a bus is created, an initial set of authorization permissions is created. These permissions grant all authenticated users access to the bus and to all local destinations. Refer to Administering authorization permissions for more information about controlling access to bus resources.

When bus security is enabled, you must set the Inter-engine authentication alias property to control the authentication of messaging engines joining the bus and for secure communication between messaging engines. Similarly, the Mediations authentication alias property is used for mediations that access the bus. Refer to Adding a bus for further information.

You can use secure transport connections to ensure confidentiality and integrity of messages in transit between application clients, the bus, and between messaging engines. This is achieved by defining transport chains and then referencing the transport chain name as follows: For more information, see Secure transport considerations.

In the routing definitions for connections to foreign buses, the user ID applied to messages entering or leaving the foreign bus can be replaced by values specified by the Inbound user ID and Outbound user ID properties. For more information, see Adding a foreign bus.

The ability to authenticate access to a foreign bus is provided by the Authentication alias property of the service integration bus link . An authentication alias is defined at both ends of the foreign bus link between two secure buses. The user ID specified on the foreign bus link must be the same at both ends of the foreign bus link for authorization purposes. For example, consider a scenario where two messaging engines are connected by a foreign bus link. Messaging engine A presents the user ID and password to messaging engine B so that messaging engine B can authenticate messaging engine A. For details about creating a foreign bus link, see Adding a service integration bus link.




Related concepts
Planning issues for bus topologies
Planning issues for multiple-bus topologies
Planning issues for topologies that include WebSphere MQ
Learning about service integration buses
Related tasks
Connecting buses
Concept topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 9:31:45 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=cjj0009_
File name: cjj0009_.html