Messaging security and multiple security domains

When you secure a service integration bus, you assign it to a security domain that contains a set of security attributes. There are three types of security domain: global, cell level and custom. The type of security domain you use for a particular bus depends on your security requirements, the bus topology, and the versions of the bus members.

Global domain

This is the default security domain, and contains the administrative security settings.

You must assign the bus to use the global domain if the following conditions apply:
  • The bus contains a WebSphere® Application Server Version 6 bus member, or might contain a Version 6 bus member in the future.
  • The bus is used for administrative purposes, and must share the administrative security settings.
You might also choose to use the global security domain if you have a simple bus topology, and have no need to use multiple security domains.

Cell level domain

Assigning the bus to the cell level domain enables the bus to use multiple security domains.

You might want to assign the bus to use the cell level domain if one of the following scenarios apply:
  • Your company security policy requires that the administrative user repository is separate from the customer user repository. Using the cell level domain enables you to configure multiple sets of security attributes for administrative and user applications within a cell environment.
  • For ease of configuration and maintenance, you want the bus, its user applications, and servers to share a common security configuration that is separate from the administrative security settings.

Custom domain

You must assign the bus to a custom domain if the following scenarios apply:
  • You want to guarantee that the bus and its user application can access the same user realm. In this case, the bus and the user applications use the same custom domain.
  • You want the bus to use a user realm that is dedicated to messaging, and have a separate user repository each for administrative and customer accounts.
  • You want the bus, and each of its user applications in separate domains. The application users can interact with the users of the bus domain, which acts as a bridge between the application domains. In this case, only the bus requires information about the users in each domain .