Service integration security

Messaging security ensures that service integration bus users are authenticated, resources are protected by security checks, and messages are secured when they are in transit. Use these topics to learn how to secure the service integration bus and protect messages that are sent and received.

Security covers all of the following areas:
  • Authenticating and authorizing users that attempt to connect to a bus, and use its resources.
  • Securing communication transports between clients and messaging engines, and between messaging engines themselves.
  • Authenticating peer messaging engines in a bus.
  • Protecting the message store with a user identity.
When a bus is created with bus security enabled, the following conditions apply:
  • The bus requires client authentication.
  • The bus enforces authorization policy.
  • The bus requires use of SSL transport chains.
You can use secure transport connections to ensure the confidentiality and integrity of messages that are in transit between application clients, the bus, and between messaging engines. This is achieved by defining transport chains and then referencing the transport chain name as follows:
  • For application client connections: from the connection factory administered objects.
  • For connections to foreign buses: from the Target inbound transport chain property of the service integration bus link.
  • For connections to IBM MQ: from the Transport chain property of the WebSphere® MQ link.
  • For connections between messaging engines: from the Inter-engine transport chain property of the bus.
For more information, see Secure transport configuration requirements.
Note: When a secure bus is created, only SSL protected messaging chains are permitted. For example, you can use the InboundSecureMessaging transport chain.

In the routing properties for the service integration bus link for a foreign bus connection, the user ID applied to messages entering or leaving the foreign bus can be replaced by values specified by the Inbound user ID and Outbound user ID properties.

The ability to authenticate access to a foreign bus is provided by the Authentication alias property of the service integration bus link. You can specify an authentication alias at each end of the service integration bus link between two secure buses when you create each foreign bus connection. The user ID you specify in the authentication alias on each side of the link must be the same for authorization purposes. For example, consider a scenario where two messaging engines are connected by a service integration bus link. Messaging engine A presents the user ID and password to messaging engine B so that messaging engine B can authenticate messaging engine A. For details about creating a foreign bus connection, and therefore a service integration bus link, see Configuring foreign bus connections.