IBM Support

IBM App Connect Enterprise 11.0 and 12.0, and IBM Integration Bus 10.0 support for Security Enhanced Linux

General Page

IBM Integration Bus 10.0.0.4, IBM App Connect Enterprise 11.0.0.0, and IBM App Connect Enterprise 12.0.1.0 (or later versions) can be run with Security Enhanced Linux (SELinux) enabled on Red Hat Enterprise Linux, subject to some restrictions. This document describes the requirements for running these product versions in an environment where SELinux is enabled.

Environment


 IBM App Connect Enterprise in containers
When running IBM App Connect Enterprise 11.0.0.0 or above in containers, SELinux can be enabled and in "enforcing" mode only when you are using the standard Red Hat container SELinux policy. This is the policy that is used in the Red Hat OpenShift Container Platform.

IBM Integration Bus 10.0 and IBM App Connect Enterprise in non-containerized environments
 
If you are running outside of containers, then to run IBM Integration Bus 10.0 or IBM App Connect Enterprise in a supported configuration with SELinux enabled, the system must satisfy all of the following requirements. Any system that does not meet these requirements must have SELinux disabled.

Product version

The IBM Integration Bus or IBM App Connect Enterprise versions required for SELinux support are:

  • IBM Integration Bus 10.0.0.4 (or later)
  • IBM App Connect Enterprise 11.0.0.0 (or later)
  • IBM App Connect Enterprise 12.0.1.0 (or later)

Use of SELinux with IBM Integration Bus 10.0.0.3 (or earlier) is not supported: SELinux must be disabled for those versions.

Operating system version

The operating system must meet the following minimum version, depending on the product version:

  • Red Hat Enterprise Linux version 6.5 or later for IBM Integration Bus v10.0.
  • Red Hat Enterprise Linux version 7.4 or later for IBM App Connect Enterprise 11.0 on Linux for x86_64.
  • Red Hat Enterprise Linux version 8.0 or later for IBM App Connect Enterprise 11.0 on Linux for s390x.
  • Red Hat Enterprise Linux version 8.0 or later for IBM App Connect Enterprise 12.0.

There are no hardware architecture requirements: this support statement applies to all Red Hat Enterprise Linux hardware architectures supported by the stated IBM Integration Bus and IBM App Connect Enterprise versions.

SELinux configuration

SELinux must be configured as follows, if using IBM Integration Bus 10.0 or IBM App Connect Enterprise outside of containers:

  1. The Red Hat Enterprise Linux targeted SELinux policy provided with the operating system must be used. The SELINUXTYPE=targeted option must be set in the SELinux configuration.
  2.  All IBM Integration Bus 10.0 or IBM App Connect Enterprise applications, control commands, integration nodes and integration servers must run in an unconfined SELinux security context (for example, SELinux user `unconfined_u`).
  3. Do not alter the operating system SELinux security policy to impose additional restrictions on unconfined applications.
  4. SELinux must not deny access to the `/var/mqsi` directory, the product install directory, any HA work path directories used by integration nodes, or the work directory of an independent integration server by IBM Integration Bus 10.0 or IBM App Connect Enterprise applications, control commands, integration nodes, and integration servers.
  5. Use of Multi-Level Security (MLS) with multiple sensitivity levels is not supported. All of the IBM Integration Bus and App Connect Enterprise applications, control commands, integration nodes, and integration servers on the system must run at the same SELinux sensitivity level

You can use SELinux in either enforcing or permissive mode provided these requirements are satisfied.

Verifying the Configuration

To check the SELinux configuration, run the sestatus command. If SELinux is enabled, the output should be similar to the following:

  • SELinux status:                 enabled
    SELinuxfs mount:                /selinux
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy version:                 24
    Policy from config file:        targeted
 

The policy should be "targeted" and the current mode should be either "enforcing" or "permissive". The mode from config file may differ from the current mode in some cases, but it is the current mode which is significant. Note that the values of the other fields may vary between systems and may differ from those shown here.

To check which SELinux security context your command shell is using, run the id -Z command. The output should be similar to the following:

  • unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 

The security context should have an unconfined user (e.g. unconfined_u) running at a single sensitivity level (for example, s0). This example shows an unconfined security context suitable for running IBM Integration Bus v10.0 or IBM App Connect Enterprise v11.0 applications, control commands and queue managers. Note that the security context may vary between systems and may differ from that shown here.

Refer to your Linux support vendor if you require assistance with SELinux configuration.

Related Information

[{"Type":"SW","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"ARM Category":[{"code":"a8m0z0000000BJAAA2","label":"ACE->Administration"},{"code":"a8m0z000000brDCAAY","label":"IIB"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
26 May 2021

UID

ibm16406668