Routing protected messages using WebSphere Message Broker
IBM® Advanced Message Security can protect messages in an infrastructure where WebSphere® Message Broker version 8.0.0.1 (or later) is installed. You should understand the nature of both products before applying security in the WebSphere Message Broker environment.
About this task
Scenario 1 - Message Broker cannot see message content
Before you begin
QMgrName
with
this existing queue manager name in the commands that follow.About this task
QIN
. Based on the message property routeTo
,
the message is routed either to bob's (QBOB
), 1 (QCECIL
),
or the default (QDEF
) queue. The routing is possible
because Advanced Message Security protects
only the message payload and not its headers and properties which
remain unprotected and can be read by
WebSphere Message Broker. Advanced Message Security is used only
by alice, bob and cecil. It is not necessary
to install or configure it for the WebSphere Message
Broker.WebSphere Message Broker receives the protected message from the unprotected alias queue in order to avoid any attempt to decrypt the message. If it were to use the protected queue directly, the message would be put onto the DEAD LETTER queue as impossible to decrypt. The message is routed by WebSphere Message Broker and arrives on the target queue unchanged. Therefore it is still signed by the original author (both bob and cecil only accept messages sent by alice) and protected as before (only bob and cecil can read it). WebSphere Message Broker puts the routed message to an unprotected alias. The recipients retrieve the message from a protected output queue where IBM WebSphere MQ AMS will transparently decrypt the message.
Procedure
Results
QIN
queue,
the message is protected. It is retrieved in protected form by the
WebSphere Message Broker from
the AIN
alias queue.
WebSphere Message Broker decides where
to route the message reading the routeTo
property
which is, as all properties, not encrypted.
WebSphere Message Broker places the message
on the appropriate unprotected alias avoiding its further protection.
When received by bob or cecil from the queue, the message
is decrypted and the digital signature is verified.Scenario 2 - Message Broker can see message content
About this task
mqsireload execution-group-name
If WebSphere Message Broker is considered an authorized party allowed to read or sign the message payload, you must configure Advanced Message Security for the user starting the WebSphere Message Broker service. Be aware it is not necessarily the same user who puts/gets the messages onto queues nor the user creating and deploying the WebSphere Message Broker applications.
Procedure
Results
IN
are
encrypted allowing only WebSphere Message
Broker to read it. WebSphere Message
Broker will only accept messages from alice and bob and
will reject any others. The accepted messages will be appropriately
processed then signed and encrypted with cecil's and dave's keys
before being put onto the output queue OUT
. Only cecil and dave are
capable of reading it, messages not signed by
WebSphere Message Broker are rejected.