IBM United States
Software Announcement 201-341
November 27, 2001
Tivoli Policy Director for MQSeries Version 3.8 Enhanced to Support S/390 and Java Applications
At a Glance
Enhancements to Policy Director for MQSeries V3.8 include:
New capability for zSeries 900 and S/390 Support added for OS/390 and z/OS
New functions on distributed servers (Intel® class, RS/6000®, Sun)
For ordering, contact:
Your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at 800-IBM-CALL (Reference: YE001).
IBM is announcing a major enhancement to Tivoli® Policy Director for MQSeries®.
The key features of this new release are:
You can now deploy a single security management solution for MQSeries that covers the messages associated with your core line of business applications as they traverse across both mainframe and distributed servers.
New functions available on distributed servers include:
These new functions greatly extend the types of applications and associated environments that are compatible with Policy Director for MQSeries.
Tivoli Policy Director for MQSeries is a security solution for IBM MQSeries. It provides access control services to restrict which applications can access MQSeries resources.
All of the services are provided transparently to both applications and MQSeries itself. This means that you do not need to make changes to your existing applications or to the general MQSeries environment to make use of all the functions of Tivoli Policy Director for MQSeries.
Tivoli Policy Director for MQSeries V3.8 requires one of the following platforms:
Planned Availability Dates
End of Support
Based on the Tivoli end-of-support policy, Tivoli support for Tivoli SecureWay® Policy Director for MQSeries V3.7 will be discontinued on December 14, 2002.
Tivoli support for Tivoli Policy Director for MQSeries V3.8.0 will be discontinued on April 26, 2003.
Tivoli Policy Director for MQSeries is a comprehensive security solution for IBM MQSeries. It provides access control services to restrict which applications can open an MQSeries resource and then "put" or "get" messages on specific queues. On Windows servers, it can even control access down to specific users of those applications. It also allows customers to set a specific quality of protection policy that will be enforced on each message. Quality of protection options include three choices: none, message integrity, or privacy. Message integrity services are done using digital signatures that are based on public keys associated with the sending and receiving applications. Administration of these security policies is done via a Web-based, central administration tool that replaces the need to have an administrator set these access control rules locally at each server's console. This administration tool also supports multiple levels of delegation allowing a resource owner to maintain and manage control of their own resources. All of these services are provided transparently to both applications and MQSeries itself. This means that you do not need to make changes to your existing applications or to the general MQSeries environment to make use of all the functions of Tivoli Policy Director for MQSeries.
Key features of Policy Director for MQSeries include:
Key new features of this release of Policy Director for MQSeries:
Note: Items above, marked as part of V3.8.1, will not be included in the general availability of this release but instead will be delivered via an update committed for delivery April 26, 2002. Customers will be able to apply this update to their existing deployment without needing to remove or reconfigure the general availability code image.
You can now deploy a single security management solution for MQSeries that covers the messages associated with their core line of business applications as they traverse across both mainframe and distributed servers. The new functions provided in this release greatly extend the types of applications and associated environments that are compatible with Policy Director for MQSeries. This allows you to now deploy Policy Director for MQSeries on a majority of the servers making up the MQSeries environment across their enterprise.
Policy Director for MQSeries provides an "interceptor" process that sits between an MQSeries application and MQSeries itself. Calls made by the application to MQSeries for services are captured by this interceptor. The first time an application makes a request to "open" an MQSeries queue with the intent to next either "put" or "get" a message, the interceptor will verify if the application making this request is authorized to perform that action. To do this, the interceptor will go through an authentication step to determine the identity of the application. On the Windows NT and Windows 2000 platforms only, this authentication step can be configured to push this authentication process all the way out to the user of the application rather than the application itself. In that environment, the security system will prompt the user of the application to choose among the credentials resident on that server and then enter their password to ensure that they don't attempt to login with another user's credentials.
These credentials are public key based, allowing Policy Director for MQSeries to digitally sign messages, when requested, with keys directly tied to the identity of the originators of that message. It also allows the security system to bind a non-platform-specific ID with each message. This public key-based ID can later be interpreted and recognized when that message is received on a server running a different operating system. This allows the security system to identify rogue messages that might be interjected into the MQSeries network via a hacker or unauthorized employee.
In addition to the interceptor code, Policy Director for MQSeries for use on distributed servers also includes a master security policy server, a Web-based administration tool, and an LDAP V3 compliant directory. When deployed, the interceptor code, running on each MQSeries server, receives the policy information it needs from the master policy server. Rather than have to go to the master policy server each time it has to make an authorization decision, the master policy server pushes down a complete replica of the policy data to each interceptor allowing it to make all authorization decisions using local data. This provides two key benefits to customers. First, all interceptors can continue processing using their local security policy replicas even if the master policy server goes down. Second, performance of the security system is very fast since it is always acting on local policy data once the replica has been downloaded.
When deploying Policy Director for MQSeries on either OS/390 or z/OS, the customer must ensure that the Policy Director Authorization Services for z/OS and OS/390 (5655-F95) is first installed. This product is not included with Policy Director for MQSeries but instead is available as the separate non-priced product (5655-F95) that a customer must order and install on either OS/390 or z/OS. It provides the local authorization runtime services for these platforms. Refer to the section on software prerequisites for part numbers and versions. Note that the authorization runtime services for AIX, Solaris, and Windows operating systems are included with Policy Director for MQSeries.
The administration tool is Web-based and supports multiple levels of delegation. This allows you to delegate some or all of the security management responsibility out to the departments or Business Partners who own various MQSeries resources.
The master policy server, the administration tool, and the LDAP directory included with Policy Director for MQSeries on AIX, Solaris, and Windows operating systems are the same as the ones delivered in Tivoli's award winning Web access control product Tivoli Policy Director V3.8. If a customer installs both products, a single instance of all these components can be shared between both products. Administrators could set policy for both Web objects and MQSeries objects from a single console, if desired.
The Policy Director Authorization Services for z/OS and OS/390 are at the V3.7.1 level and requires the use of a V3.7.1 Policy Director management server. They will not interoperate with the V3.8 level of the Policy Director management server included with Policy Director for MQSeries V3.8 for non-mainframe servers (Windows, AIX, Solaris). This means that customers using Policy Director for MQSeries on both mainframe and distributed servers may need to deploy two Policy Director realms (management servers), one at the V3.7.1 level for MQSeries, and one at the V3.8 level for non-mainframe instances of Policy Director for MQSeries. The other choice a customer has is to configure Policy Director for MQSeries V3.8 and V3.7.1 across both mainframe and distributed platforms to use a single Policy Director V3.7.1 realm. IBM is working to update the Policy Director Authorization Services for z/OS and OS/390 to support a V3.8 Policy Director realm (management server) allowing a customer to deploy a single Policy Director V3.8 management server to support all platforms.
Policy Director for MQSeries is also designed to provide access control services for local applications attempting to access remote queues, on platforms that its interceptor does not run on today. For example, Policy Director for MQSeries can prevent an application running on any of the six different operating systems it supports today from getting, or putting, messages to a local queue that maps to a remote queue on an AS/400® or Tandem server.
Digital signing and encryption of messages requires that the Policy
Director for MQSeries interceptor be running on both sides of the
transaction. If data protection services are needed from a supported
platform to one that isn't supported today, a customer can set up a proxy
system running the interceptor as a front-end to the unsupported
platform. An example scenario of this environment would be one that has
a remote network of RS/6000 or IBM pSeries, Intel, or Sun
servers running MQSeries transactions across public networks back to a
central IS center. The requirement is to protect the transaction flows
across the public network. If the server in the IS center is an AS/400
or IBM iSeries, the solution is to install the Policy
Director for MQSeries interceptor on each of the remote servers, and on a
new proxy server at the IS center running as a front-end processor to the
AS/400. The data is then protected from each of the remote locations
right into the proxy server at the IS Center.
This program is not impacted by euro currency.
For information about IBM Policy Director Authorization Services for z/OS and OS/390, refer to Software Announcement 201-342 , dated November 27, 2001.
Training is available for many Tivoli® products. Education is offered through IBM Education and Training, and through Tivoli Systems. Worldwide information about education offerings is available on the IBM Education and Training home page at:
For current information on Tivoli Systems education, call 512-436-8000, or visit the Tivoli Systems home page at:
Product information will be available on day of announcement through Offering Information (OITOOL) at:
Policy Director for MQSeries® Administration Reference Guide for V3.8 is the publication for distributed servers. This publication is shipped on the CD-ROM for this program.
No publications are shipped for the z/OS and OS/390® platform.
Displayable Softcopy Publications
The following manuals are offered in displayable softcopy form:
The displayable manuals are accessible from the following Web site:
These PDF manuals can be displayed or printed using Adobe Acrobat Reader licensed programs in any of the supported environments. Terms and conditions for use of the machine-readable files are shipped with the files.
Specified Operating Environment
Policy Director for MQSeries V3.8 hardware platforms are as follows:
Hardware cryptography acceleration cards supported in V3.8.1:
Policy Director for MQSeries V3.8 software platforms:
Tivoli Policy Director for MQSeries V3.8 for z/OS and OS/390 is shipped with:
Note: The following items are not included when ordering via Passport Advantage (PA) as these items are addressed in the IBM PA Agreement:
Security, Auditability, and Control
Tivoli Policy Director for MQSeries V3.8 uses the security and auditability features of the operating system software.
The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.
5698-PDM Ordering Information for Distributed Servers
Ordering instructions for 5698-PDM for distributed server usage only have not changed since the last release of Tivoli SecureWay Policy Director for MQSeries V3.7.
For ordering information on the base program number, 5698-PDM, refer to Software Announcement 200-404 , dated November 14, 2000.
Current licensees of Tivoli Policy Director for MQSeries V3.7 or V3.8.0 with support in effect will receive instructions on how to order this update.
5698-PDM Ordering Information for z/OS and OS/390
Executable code for the 5698-PDM product will only be delivered via S/390 Customized Offerings Process.
Current licensees wishing to receive new releases should contact their IBM representative.
The CSFW configurator stand-alone path is updated to support the 5698-PDM z/OS and OS/390 feature. The media for this product is shipped via the S/390 Customized Offerings Process.
Product Number: 5698-PDM English: English NC Medium Tape Register Feature Cartridge Product Name Number Number Medium Tivoli Policy 2599 5802 3480 Director for MQSeries
Ordering Information for Software Subscription and Annual Support
To order the Software Subscription and Annual Support for 5698-PDM, specify program number and feature numbers from the table below. To order a basic license, specify the program number, feature number 9001 for asset registration, and the appropriate feature numbers.
Product Number: 5698-S22 English: English NC Media Register Feature Product Name Number Number Tivoli Policy Director 2600 6125 for MQSeries S&S
Ordering Information for PA
For details regarding PA, refer to Software Announcement 201-203 , dated July 10, 2001.
For ordering information on the S/390 Customized Offering Process, refer to Software Announcement 201-247 , dated September 4, 2001.
To order a media pack for PA, specify the applicable part number in the desired quantity from the following table:
Part Description Number Tivoli Policy Director for MQSeries BJ02UML V3.8.0 Media Pack Effective April 26, 2002, the above Media Pack will be replaced with: Tivoli Policy Director for MQSeries BJ02YML V3.8.1 Media Pack
The quantity of the PA part numbers in the following table is based on the number of required Tivoli Management Points (TMPs). To order for PA, specify the desired part number and quantity.
Part Description Number License and Software Maintenance 1st Anniv D57G7LL License and Software Maintenance 2nd Anniv D57G8LL Software Maintenance Renewal to Anniv Date E17GSLL Software Maintenance after License to Anniv D57H9LL Date Custom Build Registration OS/390 D50X9LL
PA Software Maintenance
Software Maintenance is included with each product authorization acquired under PA.
Software Maintenance provides an easy and effective way by which you have access, during the coverage period, to eligible new versions and releases, and to remote technical support for your covered products.
The technical support included in Software Maintenance provides remote support during normal business hours in your country or location as well as access to escalation management 24 hours a day, 7 days a week, for mission-critical (Severity 1) problems.
With Software Maintenance, you receive the following technical support benefits:
PA allows you to have a common anniversary date for Software Maintenance renewals, making it easier for you to manage and budget for access to eligible new versions and releases, and for related technical support, for your covered products. The anniversary date, established at the start of your PA Agreement, recurs on an annual basis while your PA Agreement remains in effect. However, regardless of when Software Maintenance is acquired, the coverage period for Software Maintenance is always up to the anniversary date specified in the acquisition.
Software Maintenance renewals offer you favorable pricing to continue your coverage without interruption.
Refer to the IBM International PA Advantage Agreement and to the IBM Software Maintenance Handbook for specific terms relating to, and a more complete description of, technical support provided through Software Maintenance.
Withdrawal of PA Part Numbers
The following PA part numbers are withdrawn effective immediately:
Part Description Number Tivoli SecureWay Policy Director for BJ7ZZIE MQSeries V3.7 Media Pack
Product media is shipped only via Customized Offerings (for example CBPDO, ServerPac, Systempac®). Non-customized items (CDs, diskettes, source media, media kits) will continue to be shipped via the stand-alone product.
Terms and Conditions
For a limited time during the migration period to PA, customers may acquire eligible programs and Tivoli Support under agreements outside of PA.
Terms and conditions for Tivoli Value-Based Pricing and IBM PA are as follows:
For orders under 5698-PDM: IBM IPLA, IBM International Agreement for Acquisition of Programs and Support (IIAAPS) and the IBM Attachment for Support, IBM Agreement for Acquisition of Support (IAAS), IBM Addendum for Support for Tivoli Systems Products under Value-Based Pricing, and an Order Form.
For orders under PA: IPLA, IBM International Passport Advantage Agreement (PAA), and an IBM International PAA Enrollment Form.
IBM PA prices are unaffected by this announcement.
Tivoli Value-Based prices are unaffected by this announcement. TMPs have been added to reflect the z/OS and OS/390 platforms.
For PA and charges, contact your authorized IBM Lotus® Business Partner. Additional information is also available on the PA at:
Customer Financing: IBM Global Financing offers attractive financing to credit-qualified commercial and government customers and Business Partners in more than 40 countries around the world. IBM Global Financing is provided by the IBM Credit Corporation in the United States. Offerings, rates, terms, and availability may vary by country. Contact your local IBM Global Financing organization. Country organizations are listed on the Web at:
Use Priority/Reference Code: YE001 Phone: 800-IBM-CALL Fax: 800-2IBM-FAX Internet: email@example.com Mail: IBM Atlanta Sales Center Dept. YE001 P.O. Box 2690 Atlanta, GA 30301-2690
You can also contact your local IBM Business Partner or IBM representative. To identify them, call 800-IBM-4YOU.
Note: Shipments will begin after the planned availability date.