Security Services

The Message Queue service supports authentication and authorization (access control) for each broker instance, and also supports encryption:

• Authentication ensures that only verified users can establish a connection to the broker.

• Authorization specifies which users or groups have the right to access resources and to perform specific operations.

• Encryption protects messages from being tampered with during delivery over a connection.

Authentication and authorization depend upon a repository that contains information about the users of the messaging system—their names, passwords, and group memberships. In addition, to authorize specific operations for a user or group, the broker must check an access control properties file that specifies which operations a user or group can perform. You are responsible for setting up the information the broker needs to authenticate users and authorize their actions.

Figure 3–3 shows the components needed by the broker to provide authentication and authorization.

Figure 3–3 Security Manager Support

As Figure 3–3 shows, you can store user data in a flat file user repository that is provided with the Message Queue service or you can plug in a pre-existing LDAP repository. You set a broker property to indicate your choice.

• If you choose a flat-file repository, you must use the imqusermgr utility to manage the repository. This option is easy to use and built-in.

• If you want to use an existing LDAP server, you use the tools provided by the LDAP vendor to populate and manage the user repository. You must also set properties in the broker instance configuration file to enable to broker to query the LDAP server for information about users and groups.

  The LDAP option is better if scalability is important or if you need the repository to be shared by different brokers. This might be the case if you are using broker clusters.

Authentication and Authorization

When a client requests a connection, the client must supply a user name and password. The broker compares the specified name and password to those stored in the user repository. On transmitting the password from client to broker, the passwords are encoded using either base 64 encoding or message digest (MD5) hashing. MD5 is used for a flat file repository; base 64 is required for LDAP repositories. If using LDAP you may want to use the secure TLS protocol. You can set broker properties to configure the type of encoding used by each connection service separately or to set the encoding on a broker-wide basis.

When a user attempts to perform an operation, the broker checks the user’s name and group membership (from the user repository) against those specified for access to that operation (in the access control properties file). The access control properties file specifies permissions to users or groups for the following operations:

• Connecting to a broker

• Accessing destinations: creating a consumer, a producer, or a queue browser for any given destination or all destinations

• Auto-creating destinations

You set broker properties to specify the following information:

• Whether access control is enabled

• The name of the access control file

• How passwords should be encoded

• How long the system should wait for a client to respond to an authentication request from the broker

• Information required by secure connections

Encryption

To encrypt messages sent between clients and broker, you need to use a connection service based on the Secure Socket Layer (SSL) standard. SSL provides security at a connection level by establishing an encrypted connection between an SSL-enabled broker and an SSL-enabled client.

You can set broker properties to specify the security properties of the SSL keystore to be used and the name and location of a password file.