ap04090_.htm |
Last updated Friday, 21 July 2017IBM® Integration Bus provides a security manager, which enables you to control access to individual messages in a message flow, using the identity of the message.
You can configure an integration node for processing end-to-end an identity that is carried in a message through a message flow by using a security profile. By creating a security profile, you can configure security for a message flow to control access based on the identity that is associated with the message and provides a security mechanism that is independent of both the transport type and message format.
Only a subset of the connectors available in IBM Integration Bus use security profiles to control and vary the identity that is used when the connector interacts with an external system. For other connectors, a fixed identity can be specified, which is used to authorize access to the external system. For those connectors, the integration node has its own repository of identities, which can be updated with the mqsisetdbparms and mqsireportdbparms command. For more information about which external systems use one of these identities to connect, see Advanced configuration.
If you do not enable message flow security, the default security facilities that are in IBM Integration Bus are based on the security facilities that are provided by the transport mechanism. In this case, the integration node processes all messages that are delivered to it, using the integration node service identity as a proxy identity for all message instances. Any identity that is present in the incoming message is ignored.
You can invoke message flow security by configuring either a security enabled input node or a SecurityPEP node. The SecurityPEP node enables you to invoke the message flow security manager at any point in the message flow between an input node and an output (or request) node.
However, the support for treating security exceptions as normal exceptions is provided by only the MQInput, HTTPInput, SCAInput, and SCAAsyncResponse nodes; it is not available in the SOAPInput node.
If the message flow is a Web Service that is implemented by using the SOAP nodes, the identity can be taken from the WS-Security header tokens that are defined through appropriate Policy sets and bindings.
To improve performance, the authentication, authorization, and mapping information from the configured providers is cached for reuse. You can use the mqsireloadsecurity command to reload the security cache, and you can use the mqsichangeproperties command to set the expiry and sweep intervals for the security cache.
For a SOAPRequest and SOAPAsyncRequest node, an appropriate policy set and bindings can be defined to specify how the token is placed in the WS-Security header (rather than the underlying transport headers). For more information, see Policy sets.
The following topics in this section provide more detailed information about message flow security:
Last updated Friday, 21 July 2017