Data integrity of messages
To maintain data integrity, you can use various types of user exit program to provide message digests or digital signatures for your messages.
Data integrity
- Implementing data integrity in messages
- When you use TLS, your choice of CipherSpec determines the level of data integrity in the enterprise. If you use the IBM® MQ Advanced Message Service (AMS) you can specify the integrity for a unique message.
- Implementing data integrity in message exits
-
A message can be digitally signed by a message exit at the sending end of a channel. The digital signature can then be checked by a message exit at the receiving end of a channel to detect whether the message has been deliberately modified.
Some protection can be provided by using a message digest instead of a digital signature. A message digest might be effective against casual or indiscriminate tampering, but it does not prevent the more informed individual from changing or replacing the message, and generating a completely new digest for it. This is particularly true if the algorithm that is used to generate the message digest is a well known one.
- Implementing data integrity in send and receive exits
- On a message channel, message exits are more appropriate for providing this service because a message exit has access to a whole message. On an MQI channel, parameters on MQI calls might contain application data that needs to be protected and only send and receive exits can provide this protection.
- Implementing data integrity in the API exit or API-crossing exit
-
A message can be digitally signed by an API or API-crossing exit when the message is put by the sending application. The digital signature can then be checked by a second exit when the message is retrieved by the receiving application to detect whether the message has been deliberately modified.
Some protection can be provided by using a message digest instead of a digital signature. A message digest might be effective against casual or indiscriminate tampering, but it does not prevent the more informed individual from changing or replacing the message, and generating a completely new digest for it. This is particularly true if the algorithm that is used to generate the message digest is a well known one,
Further information
See the section on Enabling CipherSpecs for more information on ensuring data integrity.