Queue-based security, that uses mini-certificate based mutual authentication and message-level security, that uses digital signature, have triggered the concept of authenticatable entity. In the case of mutual authentication it is normal to think about the authentication between two users but, messaging generally has no concept of users. The normal users of messaging services are applications and they handle the user concept.
WebSphere MQ Everyplace abstracts the concept of target of authentication from user (person) to authenticatable entity. This does not exclude the possibility of authenticatable entities being people, but this would be application selected mapping.
Internally, WebSphere MQ Everyplace defines all queue managers that can either originate or be the target of mini-certificate dependent services as authenticatable entities. WebSphere MQ Everyplace also defines queues defined to use mini-certificate based authenticators as authenticatable entities. So queue managers that support these services can have one (the queue manager only), or a set (the queue manager and every queue that uses certificate based authenticator) of authenticatable entities.
WebSphere MQ Everyplace provides configurable options to enable queue managers and queues to auto-register as an authenticatable entity. WebSphere MQ Everyplace private registry service (MQePrivateRegistry) provides services that enable an WebSphere MQ Everyplace application to auto-register authenticatable entities and manage the resulting credentials.
All application registered authenticatable entities can be used as the initiator or recipient of message-level services protected using MQeMTrustAttribute.
To be useful every authenticatable entity needs its own credentials. This provides two challenges, firstly how to execute registration to get the credentials, and secondly where to manage the credentials in a secure manner. WebSphere MQ Everyplace private registry services help to solve these two problems. These services can be used to trigger auto-registration of an authenticatable entity creating its credentials in a secure manner and they can also be used to provide a secure repository.
Private registry (a descendent of base registry) adds to base registry many of the qualities of a secure or cryptographic token. For example, it can be a secure repository for public objects (mini-certificates) and private objects (private keys). It provides a mechanism to limit access to the private objects to the authorized user. It provides support for services (for example digital signature, RSA decryption) in such a way that the private objects never leave the private registry. Also, by providing a common interface, it hides the underlying device support.
WebSphere MQ Everyplace provides default services that support auto-registration. These services are automatically triggered when an authenticatable entity is configured; for example when a queue manager is started, or when a new queue is defined, or when an WebSphere MQ Everyplace application uses MQePrivateRegistry directly to create a new authenticatable entity. When registration is triggered, new credentials are created and stored in the authenticatable entity's private registry. Auto-registration steps include generating a new RSA key pair, protecting and saving the private key in the private registry; and packaging the public key in a new-certificate request to the default mini-certificate server. Assuming the mini-certificate server is configured and available, and the authenticatable entity has been pre-registered by the mini-certificate server (is authorized to have a certificate), the mini-certificate server returns the authenticatable entity's new mini-certificate, along with its own mini-certificate and these, together with the protected private key, are stored in the authenticatable entity's private registry as the entity's new credentials.
While auto-registration provides a simple mechanism to establish an authenticatable entity's credentials, in order to support message-level protection, the entity requires access to its own credentials (facilitating digital signature) and to the intended recipient's public key (mini-certificate).