IBM United States
Software Announcement 202-253
October 8, 2002
IBM Tivoli Access Manager for Business Integration V4.1 Now Secures WebSphere MQ V5.3
(Corrected on November 27, 2002)
The media pack part number was corrected.
At a Glance
IBM Tivoli Access Manager for Business Integration (AMBI) is an add-on security management solution for customers using IBM WebSphere MQ. It provides application-level data protection of messages so that they are secure even while they are resident on a queue. This contrasts with channel or link-level security solutions that leave messages in clear text while in a queue. Version 4.1 will provide the following new features:
For ordering, contact:
Your IBM representative, an IBM Business Partner, or the Americas Call Centers at 800-IBM-CALL (Reference: YE001).
Tivoli® Access Manager for Business Integration (formerly Tivoli Policy Director for MQSeries®) is a security management solution for WebSphere® MQ (WMQ) that greatly enhances WMQ's native security environment. It upgrades WMQ's data protection to provide application-level data protection for WMQ-based applications, including those already deployed, without the need to modify or change them. This contrasts with the transport-level data protection now offered in WMQ V5.3 where messages are not secured until they pass through WMQ and down to the TCP/IP stack.
Application-level data security is critical for customers using WMQ to process sensitive data such as high-value financial transactions, HR data, medical records, or any other type of Personally Identifiable Information (PII). Access Manager for Business Integration (AMBI) also allows customers to consolidate the administration of put and get access control permissions on the various servers across their enterprise. Administration of these security policies (data protection and access control) is done remotely, using a Web-based tool that replaces the need for administrators to have to visit each physical system. AMBI is also designed to support a customer environment using the extended WMQ family including both WebSphere MQ Integrator® and MQSeries Workflow. Customers do not have to be Tivoli Enterprise Framework customers to utilize AMBI.
One of the primary new functions in AMBI V4.1 is support for WMQ V5.3. In addition, there is a set of usability improvements that enhance the management of recipient credentials, allowing them to now be stored in a central LDAP directory.
AMBI V4.1 requires one of the following platforms:
Planned Availability Dates
End of Support
Consistent with the IBM Tivoli end of support policy, IBM Tivoli support for IBM Tivoli AMBI V3.8.1 will be discontinued on November 15, 2003, 12 months after the general availability date of AMBI V4.1.
Large and small businesses rely on IBM WebSphere MQ (WMQ) to process their critical line-of-business transactions involving everything from monetary transfers to HR record processing to inventory management. IBM offers Tivoli Access Manager for Business Integration (AMBI) as an add-on security-management solution for WMQ.
For IBM MQSeries V5.2 and earlier versions and releases, users had to build a set of security channel exits on their own or license them from one of several IBM Business Partners to provide message data protection and/or channel authentication. WMQ V5.3, for the first time, now includes the ability to provide channel-to-channel authentication and data protection by passing messages over an SSL connection when using a TCP/IP transport. This is a great improvement over previous versions and releases where no data-protection services were provided. WMQ V5.3, however, does not provide customers with an application-level data-protection model. This is because its data security is not invoked until messages are taken from a transmit queue and passed to the TCP/IP stack. As a result, sensitive application message data remains in a clear text format while the message is being processed by WMQ. In addition, if a user has configured WMQ to take advantage of its ability to prevent message loss (by using persistent queues), the message is also written out to the server's DASD. For customers using WMQ to process sensitive data like financial transactions, HR records, medical records, or any other type of Personally Identifiable Information (PII), this can create a significant liability and financial risk.
To address this exposure, some users have started to invest in reengineering their applications to secure their message data from within their application. This can be a very expensive process, the costs of which only begin with the application recoding expenses. Another issue in this area is the inability to demonstrate, via an audit record, that the processing of a specific sensitive message actually complied with a stated security policy. This can be critical in demonstrating compliance with legislation like the Health Insurance Portability Accountability Act (HIPAA).
One more potentially significant issue for users is that they must administer access control locally on every server. Queue creation and deletion are rather static actions, without the need to be performed very often, but put and get permissions on queues generally are updated much more frequently as new applications are rolled out into production. An enterprise-wide view of these security policies, with the ability for authorized administrators to remotely update them, can greatly improve efficiencies.
AMBI is designed to address all these issues. It provides application-level message integrity and confidentiality without requiring users to recode, relink, or modify existing WMQ applications. You do not have to license cryptography routines or worry about real-time key exchange, and can take advantage of message brokers even when utilizing application data protection.
AMBI has two logical components. The first is a security policy enforcement portion (interceptor) that is installed on each server running WMQ. The second is a central set of shared services composed of a security policy manager, a Web-based administration tool, and an LDAP directory. The interceptor's job is to authenticate applications attempting to access WMQ and then to enforce the access control, data protection, and audit security policies that you have set through the central shared services.
The security policy manager holds the master copy of the security policy database. The administration tool is a Web-based application that provides an easy-to-use GUI for setting, viewing, and updating security policies. Protected queues and queue managers are represented in the resource namespace as objects, and may be secured by attaching a policy to them. A companion utility is also provided to automate the population of this resource space with the existing queue manager and queue definitions on each system to be managed. The administration tool also supports the ability to delegate responsibility for just a subset of the defined queue managers or queues to a junior administrator. IT organizations will find this feature useful since it allows them to maintain control over the total enterprise security infrastructure for WMQ but still grant a specific department or line-of-business the ability to manage the subset of resources they use or own. All administration can also be done via scripting using a command-line interface that is also provided.
AMBI includes a licensed copy of the IBM Directory Server for IBM AIX, Sun Solaris, and Microsoft Windows 2000 and Windows NT. If you have already deployed the Netscape/iPlanet LDAP Directory, it can be used instead. For a highly available environment it is recommended that the directory be replicated to help ensure that processing is not interrupted.
AMBI is designed to enforce two specific access rights. These are whether an application is authorized to put and/or get messages to a queue. In addition, AMBI supports the following options for data-protection policies:
The auditing of access to protected resources is also part of each policy. If auditing is enabled, you are provided XML-like formatted records that document the success or failure of attempts to open and close queues and put and get messages. The specific audit options are:
AMBI uses public and private keys to perform its data-protection functions. Key pairs can be associated with specific applications or shared by all applications on a server. AMBI can utilize PKI credentials generated by most popular third-party Certificate Authorities, including VeriSign, Entrust, Baltimore, and Netscape, in addition to the self-signed certificates it can generate itself. A software-based key ring is also provided for secure storage of these credentials on each WMQ server. In previous releases, the certificate of each recipient of an encrypted message had to be stored in the key ring of each sender. In AMBI, the recipient's certificate can be stored in an LDAP directory, reducing the administrative overhead in configuring encryption policy.
A security management solution for WMQ must recognize and address an enterprise's messaging security requirements. It should provide a single point of administration for security policy, application-level message integrity and confidentiality, high performance, and scalability. AMBI was developed specifically to address these issues. It is the first enterprise-level security management solution for WebSphere MQ. It provides centralized administration of data protection and queue put and get permission policies. It is a highly scalable application-level security solution that can transparently secure the WebSphere MQ applications you have already deployed with the need to modify them. It also can generate detailed audit records showing that transactions were expressly authorized and properly protected.
IBM Tivoli Access Manager for Business Integration (AMBI) V4.1 is a security management solution for IBM WebSphere MQ (WMQ). It upgrades WMQ's data protection to provide application-level data protection for MQ-based applications. This is critical for customers needing to implement WebSphere MQ to process sensitive data.
AMBI is a member of the Tivoli Access Management family and builds upon the core Access Manager technology utilized by many IBM products today. Customers utilizing more than one of the Tivoli Access Manager family products can see reduced enterprise security management deployment, maintenance, training, and administration costs. This is due to the ability of these products to share common services like administration tooling, directory services, and a common central security management server.
AMBI is compatible with the other members of the IBM WebSphere MQ family, including WebSphere MQ Integrator and MQSeries Workflow.
AMBI is complementary with the recently announced IBM WebSphere Business Integration for Financial Networks offering. When AMBI is used with this product, customers' financial transactions are secured from the originating application at one institution through a Value Added Network like the SWIFT network to processing the application at another institution. In this example, AMBI can provide the security across the WMQ networks of both institutions. IBM WebSphere Business Integration for Financial Networks secures the queues on a WebSphere MQ Integrator server linked to a SWIFT client and the SWIFT network provides the security between the networks of both institutions.
Product information is available through Offering Information (OITOOL) at:
and through the Passport Advantage Web site at:
The ReadMe is the only publication that is shipped with this program.
The following publications can be ordered after planned availability.
The Publications Notification System (PNS) is available by order number or product number. Customers currently subscribing to PNS will automatically receive notifications by e-mail. Customers who wish to subscribe can visit the PNS Web site location at:
The IBM Publications Center Portal:
The Publications Center is a worldwide central repository for IBM product publications and marketing material with a catalog of 70,000 items. Extensive search facilities are provided, as well as payment options via credit card. Furthermore, a large number of publications are available online in various file formats, which can currently be downloaded free of charge.
Note that PNS subscribers most often order their publications via the Publications Center.
Order Title Number IBM Tivoli(R) Access Manager SC23-4831-00 for Business Integration Administrator's Guide IBM Tivoli Access Manager for GI11-0957-00 Business Integration Release Notes IBM Tivoli Access Manager for GI11-0958-00 Business Integration Read Me First
Specified Operating Environment
RAM DASD (Minimum) (Minimum) AMBI + WebSphere(R) MQ 256 MB 500 MB AMBI + WebSphere MQ + 512 MB 1 GB MQSI AMBI + WebSphere MQ + 512 MB 2.5 GB MQ Workflow
RAM DASD (Minimum) (Minimum) AMBI + WebSphere MQ 256 MB 500 MB AMBI + WebSphere MQ + 512 MB 1 GB MQSI AMBI + WebSphere MQ + 512 MB 2.5 GB MQ Workflow
RAM DASD (Minimum) (Minimum) AMBI + WebSphere MQ 256 MB 500 MB AMBI + WebSphere MQ + 512 MB 1.5 GB MQSI AMBI + WebSphere MQ + 512 MB 2.5 GB MQ Workflow
IBM Tivoli Access Manager for Business Integration V4.1 is supported on the following platforms:
The following WebSphere MQ applications are supported:
PKI credentials from the following Certificate Authorities are supported:
This program, when downloaded from a Web site, contains the applicable
IBM license agreement, and License Information (LI) if appropriate, which
will be presented for acceptance at the time of installation of the
program. The license and LI will be stored in a directory such as
LICENSE.TXT for future reference.
Security, Auditability, and Control
IBM Tivoli Access Manager for Business Integration V4.1 uses the security and auditability features of the operating system software.
The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.
Passport Advantage Customer: Media Pack Entitlement Details
Customers with active maintenance or subscription for the product listed below are entitled to receive the corresponding media pack.
Entitled Maintenance Offerings Description: IBM Tivoli Access Manager for Business Integration V3.8.1 Processor
Part Media Pack Description Number IBM Tivoli Access Manager for Business Integration V4.1 BJ08EML
Ordering Information for Passport Advantage
The quantity to be specified for the Passport Advantage part numbers in the following table is per processor. To order for Passport Advantage, specify the desired part number and quantity.
Part Description Number Processors: IBM Tivoli Access Manager for Business D511TLL Integration V4.1 License and Software Maintenance 1st Anniversary IBM Tivoli Access Manager for Business D511ULL Integration V4.1 License and Software Maintenance 2nd Anniversary IBM Tivoli Access Manager for Business E009CLL Integration V4.1 Software Maintenance Renewal to Anniversary Date IBM Tivoli Access Manager for Business D511VLL Integration V4.1 Software Maintenance after License to Anniversary Date
To order a media pack for Passport Advantage, specify the part number in the desired quantity from the following table:
Part Description Number IBM Tivoli Access Manager for Business BJ08EML Integration V4.1 Media Pack -- Multilingual
Withdrawal of Passport Advantage Part Numbers
The following Passport Advantage part number will be withdrawn on December 3, 2002:
Part Description Number IBM Tivoli Access Manager for BJ04EML Business Integration V3.8.1
Terms and Conditions
Agreement: For orders under Passport Advantage: IBM International Program License Agreement (IPLA), IBM International Passport Advantage Agreement (PAA), and an IBM International Passport Advantage Agreement Enrollment Form
Program Services and End of Support: Program services for an IBM Tivoli program are one year from the date IBM or your Business Partner makes the program available to you. The program services duration period shall be less than one year for programs acquired after the announcement of a program's end-of-support (EOS) date.
EOS for programs or versions/releases of programs will be announced 12 months before the effective date.
For Passport Advantage and charges, contact your IBM representative or your authorized IBM Business Partner. For additional information about the Passport Advantage offering, visit the following Web site:
Use Priority/Reference Code: YE001 Phone: 800-IBM-CALL Fax: 800-2IBM-FAX Internet: email@example.com Mail: IBM Atlanta Sales Center Dept. YE001 P.O. Box 2690 Atlanta, GA 30301-2690
You can also contact your local IBM Business Partner or IBM representative. To identify them, call 800-IBM-4YOU.
Note: Shipments will begin after the planned availability date.