IBM United States
Software Announcement 202-253
October 8, 2002

IBM Tivoli Access Manager for Business Integration V4.1 Now Secures WebSphere MQ V5.3

 ENUS202-253.PDF (38KB)

(Corrected on November 27, 2002)

The media pack part number was corrected.

At a Glance

IBM Tivoli Access Manager for Business Integration (AMBI) is an add-on security management solution for customers using IBM WebSphere MQ. It provides application-level data protection of messages so that they are secure even while they are resident on a queue. This contrasts with channel or link-level security solutions that leave messages in clear text while in a queue. Version 4.1 will provide the following new features:

  • Support for WebSphere MQ V5.3
  • PKI credential management (certificate storage in LDAP)
  • Support for IBM 4758 Crypto acceleration card on AIX and Windows
  • Support for IBM 4960 Crypto acceleration card on AIX only
  • New utility for validating system configuration
  • Support for AIX V5.1
  • Management server and administration tool across all three Tivoli Access Manager products

For ordering, contact:

Your IBM representative, an IBM Business Partner, or the Americas Call Centers at 800-IBM-CALL (Reference: YE001).

Overview

Tivoli® Access Manager for Business Integration (formerly Tivoli Policy Director for MQSeries®) is a security management solution for WebSphere® MQ (WMQ) that greatly enhances WMQ's native security environment. It upgrades WMQ's data protection to provide application-level data protection for WMQ-based applications, including those already deployed, without the need to modify or change them. This contrasts with the transport-level data protection now offered in WMQ V5.3 where messages are not secured until they pass through WMQ and down to the TCP/IP stack.

Application-level data security is critical for customers using WMQ to process sensitive data such as high-value financial transactions, HR data, medical records, or any other type of Personally Identifiable Information (PII). Access Manager for Business Integration (AMBI) also allows customers to consolidate the administration of put and get access control permissions on the various servers across their enterprise. Administration of these security policies (data protection and access control) is done remotely, using a Web-based tool that replaces the need for administrators to have to visit each physical system. AMBI is also designed to support a customer environment using the extended WMQ family including both WebSphere MQ Integrator® and MQSeries Workflow. Customers do not have to be Tivoli Enterprise™ Framework customers to utilize AMBI.

One of the primary new functions in AMBI V4.1 is support for WMQ V5.3. In addition, there is a set of usability improvements that enhance the management of recipient credentials, allowing them to now be stored in a central LDAP directory.

Key Prerequisites

AMBI V4.1 requires one of the following platforms:

  • Solaris Version 7 or 8
  • IBM AIX® Version 4.3.3 or AIX Version 5.1
  • Windows NT® 4
  • Windows® 2000

Planned Availability Dates

  • November 1, 2002 (for electronic download)
  • November 15, 2002 (media availability)

End of Support

Consistent with the IBM Tivoli end of support policy, IBM Tivoli support for IBM Tivoli AMBI V3.8.1 will be discontinued on November 15, 2003, 12 months after the general availability date of AMBI V4.1.

Description

Large and small businesses rely on IBM WebSphere MQ (WMQ) to process their critical line-of-business transactions involving everything from monetary transfers to HR record processing to inventory management. IBM offers Tivoli Access Manager for Business Integration (AMBI) as an add-on security-management solution for WMQ.

For IBM MQSeries V5.2 and earlier versions and releases, users had to build a set of security channel exits on their own or license them from one of several IBM Business Partners to provide message data protection and/or channel authentication. WMQ V5.3, for the first time, now includes the ability to provide channel-to-channel authentication and data protection by passing messages over an SSL connection when using a TCP/IP transport. This is a great improvement over previous versions and releases where no data-protection services were provided. WMQ V5.3, however, does not provide customers with an application-level data-protection model. This is because its data security is not invoked until messages are taken from a transmit queue and passed to the TCP/IP stack. As a result, sensitive application message data remains in a clear text format while the message is being processed by WMQ. In addition, if a user has configured WMQ to take advantage of its ability to prevent message loss (by using persistent queues), the message is also written out to the server's DASD. For customers using WMQ to process sensitive data like financial transactions, HR records, medical records, or any other type of Personally Identifiable Information (PII), this can create a significant liability and financial risk.

To address this exposure, some users have started to invest in reengineering their applications to secure their message data from within their application. This can be a very expensive process, the costs of which only begin with the application recoding expenses. Another issue in this area is the inability to demonstrate, via an audit record, that the processing of a specific sensitive message actually complied with a stated security policy. This can be critical in demonstrating compliance with legislation like the Health Insurance Portability Accountability Act (HIPAA).

One more potentially significant issue for users is that they must administer access control locally on every server. Queue creation and deletion are rather static actions, without the need to be performed very often, but put and get permissions on queues generally are updated much more frequently as new applications are rolled out into production. An enterprise-wide view of these security policies, with the ability for authorized administrators to remotely update them, can greatly improve efficiencies.

AMBI is designed to address all these issues. It provides application-level message integrity and confidentiality without requiring users to recode, relink, or modify existing WMQ applications. You do not have to license cryptography routines or worry about real-time key exchange, and can take advantage of message brokers even when utilizing application data protection.

AMBI has two logical components. The first is a security policy enforcement portion (interceptor) that is installed on each server running WMQ. The second is a central set of shared services composed of a security policy manager, a Web-based administration tool, and an LDAP directory. The interceptor's job is to authenticate applications attempting to access WMQ and then to enforce the access control, data protection, and audit security policies that you have set through the central shared services.

The security policy manager holds the master copy of the security policy database. The administration tool is a Web-based application that provides an easy-to-use GUI for setting, viewing, and updating security policies. Protected queues and queue managers are represented in the resource namespace as objects, and may be secured by attaching a policy to them. A companion utility is also provided to automate the population of this resource space with the existing queue manager and queue definitions on each system to be managed. The administration tool also supports the ability to delegate responsibility for just a subset of the defined queue managers or queues to a junior administrator. IT organizations will find this feature useful since it allows them to maintain control over the total enterprise security infrastructure for WMQ but still grant a specific department or line-of-business the ability to manage the subset of resources they use or own. All administration can also be done via scripting using a command-line interface that is also provided.

AMBI includes a licensed copy of the IBM Directory Server for IBM AIX, Sun Solaris, and Microsoft™ Windows 2000 and Windows NT. If you have already deployed the Netscape/iPlanet LDAP Directory, it can be used instead. For a highly available environment it is recommended that the directory be replicated to help ensure that processing is not interrupted.

AMBI is designed to enforce two specific access rights. These are whether an application is authorized to put and/or get messages to a queue. In addition, AMBI supports the following options for data-protection policies:

  • NONE — No data protection.
  • INTEGRITY — Sign message data to allow verification.
  • PRIVACY — Sign and encrypt message data for integrity and confidentiality.

The auditing of access to protected resources is also part of each policy. If auditing is enabled, you are provided XML-like formatted records that document the success or failure of attempts to open and close queues and put and get messages. The specific audit options are:

  • ALL — Records all auditable events.
  • NONE — Auditing function is turned off.
  • PERMIT — Records only successful accesses.
  • DENY — Records only denied requests for access.
  • ADMIN — Records OPEN, CLOSE, PUT, and GET operations on protected WebSphere MQ queues.
  • ERROR — Records any unsuccessful GET operations.

AMBI uses public and private keys to perform its data-protection functions. Key pairs can be associated with specific applications or shared by all applications on a server. AMBI can utilize PKI credentials generated by most popular third-party Certificate Authorities, including VeriSign, Entrust, Baltimore, and Netscape, in addition to the self-signed certificates it can generate itself. A software-based key ring is also provided for secure storage of these credentials on each WMQ server. In previous releases, the certificate of each recipient of an encrypted message had to be stored in the key ring of each sender. In AMBI, the recipient's certificate can be stored in an LDAP directory, reducing the administrative overhead in configuring encryption policy.

A security management solution for WMQ must recognize and address an enterprise's messaging security requirements. It should provide a single point of administration for security policy, application-level message integrity and confidentiality, high performance, and scalability. AMBI was developed specifically to address these issues. It is the first enterprise-level security management solution for WebSphere MQ. It provides centralized administration of data protection and queue put and get permission policies. It is a highly scalable application-level security solution that can transparently secure the WebSphere MQ applications you have already deployed with the need to modify them. It also can generate detailed audit records showing that transactions were expressly authorized and properly protected.

Product Positioning

IBM Tivoli Access Manager for Business Integration (AMBI) V4.1 is a security management solution for IBM WebSphere MQ (WMQ). It upgrades WMQ's data protection to provide application-level data protection for MQ-based applications. This is critical for customers needing to implement WebSphere MQ to process sensitive data.

AMBI is a member of the Tivoli Access Management family and builds upon the core Access Manager technology utilized by many IBM products today. Customers utilizing more than one of the Tivoli Access Manager family products can see reduced enterprise security management deployment, maintenance, training, and administration costs. This is due to the ability of these products to share common services like administration tooling, directory services, and a common central security management server.

AMBI is compatible with the other members of the IBM WebSphere MQ family, including WebSphere MQ Integrator and MQSeries Workflow.

AMBI is complementary with the recently announced IBM WebSphere Business Integration for Financial Networks offering. When AMBI is used with this product, customers' financial transactions are secured from the originating application at one institution through a Value Added Network like the SWIFT network to processing the application at another institution. In this example, AMBI can provide the security across the WMQ networks of both institutions. IBM WebSphere Business Integration for Financial Networks secures the queues on a WebSphere MQ Integrator server linked to a SWIFT client and the SWIFT network provides the security between the networks of both institutions.

Trademarks

 
MQSeries, WebSphere, MQ Integrator, and AIX are registered trademarks of International Business Machines Corporation in the United States or other countries or both.
 
Microsoft is a trademark of Microsoft Corporation.
 
Windows NT and Windows are registered trademarks of Microsoft Corporation.
 
Tivoli Enterprise is a trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United States or other countries or both.
 
Tivoli is a registered trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United States or other countries or both.
 
Other company, product, and service names may be trademarks or service marks of others.

Offering Information

Product information is available through Offering Information (OITOOL) at:

and through the Passport Advantage Web site at:

Publications

The ReadMe is the only publication that is shipped with this program.

The following publications can be ordered after planned availability.

The Publications Notification System (PNS) is available by order number or product number. Customers currently subscribing to PNS will automatically receive notifications by e-mail. Customers who wish to subscribe can visit the PNS Web site location at:

The IBM Publications Center Portal:

The Publications Center is a worldwide central repository for IBM product publications and marketing material with a catalog of 70,000 items. Extensive search facilities are provided, as well as payment options via credit card. Furthermore, a large number of publications are available online in various file formats, which can currently be downloaded free of charge.

Note that PNS subscribers most often order their publications via the Publications Center.

                                                    Order
Title                                               Number
 
IBM Tivoli(R) Access Manager                        SC23-4831-00
 for Business Integration
 Administrator's Guide
 
IBM Tivoli Access Manager for                       GI11-0957-00
 Business Integration Release Notes
 
IBM Tivoli Access Manager for                       GI11-0958-00
 Business Integration Read Me First

Technical Information

Specified Operating Environment

Hardware Requirements

AIX®

Supported Hardware:

  • IBM eServer pSeries™
  • IBM RS/6000® POWERserver®
  • IBM RS/6000 POWERstation
  • IBM Scalable POWERparallel® systems

                                   RAM                 DASD
                                   (Minimum)           (Minimum)
 
AMBI + WebSphere(R) MQ             256 MB              500 MB
AMBI + WebSphere MQ +              512 MB              1 GB
 MQSI
AMBI + WebSphere MQ +              512 MB              2.5 GB
 MQ Workflow

Solaris

Supported Hardware:

  • Sun SPARC desktop or server system
  • Sun UltraSPARC desktop or server system

                                   RAM                 DASD
                                   (Minimum)           (Minimum)
 
AMBI + WebSphere MQ                256 MB              500 MB
AMBI + WebSphere MQ +              512 MB              1 GB
 MQSI
AMBI + WebSphere MQ +              512 MB              2.5 GB
 MQ Workflow

Windows NT®/2000

Supported Hardware:

  • Y2K Compliant Intel® Pentium® II or above, 500+ MHz processor

                                   RAM                 DASD
                                   (Minimum)           (Minimum)
 
AMBI + WebSphere MQ                256 MB              500 MB
AMBI + WebSphere MQ +              512 MB              1.5 GB
 MQSI
AMBI + WebSphere MQ +              512 MB              2.5 GB
 MQ Workflow

Software Requirements

IBM Tivoli Access Manager for Business Integration V4.1 is supported on the following platforms:

  • AIX 4.3.3 and AIX 5.1
  • Solaris 7 and 8
  • Windows NT 4.0 with SP6a or higher
  • Windows® 2000 with SP™ 2

The following WebSphere MQ applications are supported:

  • MQSeries® V5.2: Server only on AIX and Solaris
  • MQSeries V5.2.1: Server only on Windows
  • WebSphere MQ V5.3: Server only on AIX, Solaris, and Windows
  • WebSphere MQ Integrator® (MQSI) V2.02 and V2.1
  • WebSphere MQ Workflow V3.3.2

PKI credentials from the following Certificate Authorities are supported:

  • Tivoli SecureWay® PKI V3.7.1
  • Entrust WebConnector V5.0
  • iPlanet Certificate Management Server V4.2
  • Baltimore UniCERT V3.5
  • VeriSign

Planning Information

Packaging: IBM Tivoli Access Manager for Business Integration V4.1 is distributed with:

  • International Program License Agreement (Z125-3301)
  • License Information (CT0TLML)
  • Read Me First Card
  • 11 CD-ROMs
  • Publications (refer to the Publications section)

This program, when downloaded from a Web site, contains the applicable IBM license agreement, and License Information (LI) if appropriate, which will be presented for acceptance at the time of installation of the program. The license and LI will be stored in a directory such as LICENSE.TXT for future reference.

Security, Auditability, and Control

IBM Tivoli Access Manager for Business Integration V4.1 uses the security and auditability features of the operating system software.

The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.

Ordering Information

Passport Advantage Customer: Media Pack Entitlement Details

Customers with active maintenance or subscription for the product listed below are entitled to receive the corresponding media pack.

Entitled Maintenance Offerings Description: IBM Tivoli Access Manager for Business Integration V3.8.1 Processor

                                                         Part
Media Pack Description                                   Number
 
IBM Tivoli Access Manager for
 Business Integration V4.1                               BJ08EML

New Licensees: Orders for new licenses will be accepted now.

Shipment will begin on the planned availability date.

Ordering Information for Passport Advantage

The quantity to be specified for the Passport Advantage part numbers in the following table is per processor. To order for Passport Advantage, specify the desired part number and quantity.

                                                         Part
Description                                              Number
 
Processors:
 
IBM Tivoli Access Manager for Business                   D511TLL
 Integration V4.1 License and Software
 Maintenance 1st Anniversary
 
IBM Tivoli Access Manager for Business                   D511ULL
 Integration V4.1 License and Software
 Maintenance 2nd Anniversary
 
IBM Tivoli Access Manager for Business                   E009CLL
 Integration V4.1 Software Maintenance
 Renewal to Anniversary Date
 
IBM Tivoli Access Manager for Business                   D511VLL
 Integration V4.1 Software Maintenance
 after License to Anniversary Date

To order a media pack for Passport Advantage, specify the part number in the desired quantity from the following table:

                                                         Part
Description                                              Number
 
IBM Tivoli Access Manager for Business                   BJ08EML
 Integration V4.1 Media Pack -- Multilingual

Withdrawal of Passport Advantage Part Numbers

The following Passport Advantage part number will be withdrawn on December 3, 2002:

                                                         Part
Description                                              Number
 
IBM Tivoli Access Manager for                            BJ04EML
 Business Integration V3.8.1

Terms and Conditions

Agreement: For orders under Passport Advantage: IBM International Program License Agreement (IPLA), IBM International Passport Advantage Agreement (PAA), and an IBM International Passport Advantage Agreement Enrollment Form

Transferable: Yes, except for programs acquired at a discount or allowance

Limited Warranty Applies: Yes

Guarantee: 30-day money-back guarantee

Usage Restriction: Yes. Usage is limited to the quantity of processors and clients (network nodes) licensed.

Volume Offering (IVO): No

Upgrade Protection Applies: Covered as long as Software Maintenance is in effect

Educational Allowance Available: Yes, to qualified education institution customers

Percentage: 15%

Licensed Program Materials Availability

  • Restricted Materials of IBM: None
  • Nonrestricted Source Materials: None
  • Object Code Only (OCO): All

Maintenance Applies

  • Software Maintenance under Passport Advantage: Yes
  • Software Maintenance for IBM Tivoli products: No

Complementary Introductory Support: Not available

Program Services and End of Support: Program services for an IBM Tivoli program are one year from the date IBM or your Business Partner makes the program available to you. The program services duration period shall be less than one year for programs acquired after the announcement of a program's end-of-support (EOS) date.

EOS for programs or versions/releases of programs will be announced 12 months before the effective date.

Software Maintenance for IBM Tivoli Products and Passport Advantage

  • Support Center Applies: Yes. Access is available through the IBM Support Center, 800-237-5511.

  • Support Web Site for Problem Reporting:

  • Availability of Passport Advantage Software Maintenance:
    • Passport Advantage Software Maintenance is provided at no additional charge for each eligible program acquired until the first anniversary date. For an additional fee, a license can be acquired with maintenance to the second anniversary date.
    • Passport Advantage Software Maintenance is provided for renewal for a fee at each anniversary date. Customers who do not renew their Software Maintenance will have to purchase the Maintenance after License option to renew their maintenance agreement when they require a new level of software code or remote technical support.

  • Software Maintenance and Passport Advantage Software Maintenance Available Until: Twelve months after announcement of product discontinuance, which is the end of life (EOL)

  • Software Maintenance and Passport Advantage Software Maintenance Applicable To:
    • The current release
    • The immediate previous release for 12 months after the general availability of the current release

  • APAR Mailing Address:

      IBM
      11400 Burnet Road
      Austin, TX 78758
      Attention: Product Development

IBM Operational Support Services — Support Line: No

Product Web Site: A complete list of products, terminology definitions, and licensing documents are available at the following Web site:

Prices

Passport Advantage

For Passport Advantage and charges, contact your IBM representative or your authorized IBM Business Partner. For additional information about the Passport Advantage offering, visit the following Web site:

Order Now

 Use Priority/Reference Code: YE001
 
 Phone:     800-IBM-CALL
 Fax:       800-2IBM-FAX
 Internet:  ibm_direct@vnet.ibm.com
 Mail:      IBM Atlanta Sales Center
            Dept. YE001
            P.O. Box 2690
            Atlanta, GA  30301-2690

You can also contact your local IBM Business Partner or IBM representative. To identify them, call 800-IBM-4YOU.

Note: Shipments will begin after the planned availability date.

Trademarks

 
The e-business logo, pSeries, eServer, and SP are trademarks of International Business Machines Corporation in the United States or other countries or both.
 
AIX, POWERserver, RS/6000, POWERparallel, WebSphere, MQSeries, MQ Integrator, and SecureWay are registered trademarks of International Business Machines Corporation in the United States or other countries or both.
 
Pentium and Intel are registered trademarks of Intel Corporation.
 
Windows NT and Windows are registered trademarks of Microsoft Corporation.
 
Tivoli is a registered trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United States or other countries or both.
 
Notes is a registered trademark of Lotus Development Corporation and/or IBM Corporation.
 
Other company, product, and service names may be trademarks or service marks of others.