Routing protected messages using IBM Integration Bus
Advanced Message Security can protect messages in an infrastructure where IBM® Integration Bus, or WebSphere® Message Broker 8.0.0.1 (or later) is installed. You should understand the nature of both products before applying security in the IBM Integration Bus environment.
About this task
Scenario 1 - Integration Bus cannot see message content
Before you begin
QMgrName
with
this existing queue manager name in the commands that follow.
About this task
QIN
. Based on the message property routeTo
, the message is routed either to bob's ( QBOB
),
1
( QCECIL
), or the default ( QDEF
) queue. The routing is possible because Advanced Message Security protects only the message payload and not its headers and properties which remain unprotected and can be read by IBM Integration Bus. Advanced Message Security is used only by alice, bob and cecil. It is not necessary to install or configure it for the IBM Integration Bus.
IBM Integration Bus receives the protected message from the unprotected alias queue in order to avoid any attempt to decrypt the message. If it were to use the protected queue directly, the message would be put onto the DEAD LETTER queue as impossible to decrypt. The message is routed by IBM Integration Bus and arrives on the target queue unchanged. Therefore it is still signed by the original author (both bob and cecil only accept messages sent by alice ) and protected as before (only bob and cecil can read it). IBM Integration Bus puts the routed message to an unprotected alias. The recipients retrieve the message from a protected output queue where AMS will transparently decrypt the message.
Procedure
Results
QIN
queue, the message is protected. It is retrieved in protected form by the IBM Integration Bus from the AIN
alias queue. IBM Integration Bus decides where to route the message reading the routeTo
property which is, as all properties, not encrypted. IBM Integration Bus places the message on the appropriate unprotected alias avoiding its further protection. When received by bob or cecil from the queue, the message is decrypted and the digital signature is verified.
Scenario 2 - Integration Bus can see message content
About this task
mqsireload execution-group-name
If IBM Integration Bus is considered an authorized party allowed to read or sign the message payload, you must configure Advanced Message Security for the user starting the IBM Integration Bus service. Be aware it is not necessarily the same user who puts/gets the messages onto queues nor the user creating and deploying the IBM Integration Bus applications.
Procedure
Results
IN
are encrypted allowing only IBM Integration Bus to read it. IBM Integration Bus only accepts messages from alice and bob and rejects any others. The accepted messages are appropriately processed, then signed and encrypted with cecil's and dave's keys before being put onto the output queue OUT
. Only cecil and dave are capable of reading it, messages not signed by IBM Integration Bus are rejected.