Implementing IBM

Integration Bus security

© Copyright IBM Corporation 2013

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 8.0
Unit objectives
After completing this unit, you should be able to:
• Configure integration node administration security to control the
authorities that developers and administrators use to complete their
specific tasks
• Use security profiles to implement message flow security
• Implement security for the IBM Integration web console

© Copyright IBM Corporation 2013

Topics
• Integration node component security
• Integration node administration security
• Message flow security
• IBM Integration web console security

© Copyright IBM Corporation 2013

 Integration node
component security

© Copyright IBM Corporation 2013

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 8.0
IBM Integration Bus security
• Required to enable IBM Integration Bus to work
Integration
correctly and to protect the information in the node
system
• Based on WebSphere MQ security and user ID in
mqm group Queue
manager
• Disabled by default
• Can be enabled from mqsicreatebroker or
mqsichangebroker command
• Includes users who connect from:
Security
– IBM Integration Explorer
– IBM Integration Toolkit
– IBM Integration web console
– IBM Integration API Exerciser Single place to WebSphere
define security MQ
– IBM Integration API security
– Command interface
© Copyright IBM Corporation 2013
Groups and authorities
• IBM Integration Bus relies on some WebSphere MQ resources
• WebSphere MQ administrator security group mqm
– Created when WebSphere MQ is installed
– Users in this group can control all WebSphere MQ resources
– Service user ID must belong to this group
• Security group mqbrkrs
– Created when IBM Integration Bus is installed
– Service user IDs for all IBM Integration Bus components must belong to this
group

© Copyright IBM Corporation 2013

Integration node security considerations
• Identify user account to use for integration node service ID
– On Linux or UNIX, user ID must be member of mqm and mqbrkrs group
– On Windows, integration node runs under a service user account
• Set security on integration node queues
– Run the mqsicreatebroker command to grant local mqbrkrs group access
to internal SYSTEM.BROKER queues
• Secure integration node registry
– Stored in the Windows registry or the Linux or UNIX file system
– Set operating system security options so that only user IDs that are members of
mqbrkrs can read from or write to iNodeName/CurrentVersion and all
subkeys

© Copyright IBM Corporation 2013

Service user account on Windows
• Local account
– Must be defined in your local domain
– Must be a member of the mqbrkrs group
• Windows domain account
– User ID must be granted the Log on as a service privilege from the Local
Security Policy
– DOMAIN\user is a member of DOMAIN\Domain mqbrkrs group
– DOMAIN\Domain mqbrkrs is a member of WORKSTATION\mqbrkrs group
• Windows built-in LocalSystem account
– Specify LocalSystem for the –i parameter on the mqsicreatebroker or
mqsichangebroker command

© Copyright IBM Corporation 2013

Security exits
• Verify that the other end of a connection is genuine
• Enable a security exit at each end of the connection between the client
session and the integration node:
– Set up a security exit on the channel at the integration node end
– Set up a security exit in the IBM Integration Toolkit or IBM Integration Explorer
• Started every time that a message passes across the connection
• Standard WebSphere MQ security exit (written in Java)

© Copyright IBM Corporation 2013

Creating a security exit
1. Select from the following options:
– In the IBM Integration Toolkit, right-click the Integration Nodes view and click
Connect to Remote Integration Node.
– In the IBM Integration Explorer, right-click the Integration Nodes folder and
click Connect to Remote Integration Node.
2. Enter values for Host, Queue Manager Name, and Port and then
click Next.
3. Enter a valid Java class name for the Security Exit Class name.
4. Set the JAR file location for the Security Exit that is required on this
connection. Click Browse to find the file location.

© Copyright IBM Corporation 2013

 Integration node
administration security

© Copyright IBM Corporation 2013

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 8.0
Administration security

IBM Integration
Toolkit IBM Integration Third-party
and Commands web console tools
IBM Integration
Explorer

IBM Integration API

Authorization
queues
Administration
and security

Integration
node Integration node
queue manager

© Copyright IBM Corporation 2013

Integration node component authorizations
• Control the actions that users can request against an integration node
and its resources
• Three levels of authorization for administrative actions:
– Inquire (Read)
– Put (Write)
– Set (Run)
• On two object types:
– Integration node
– Integration server
• Integration node authority does not imply integration server authority

© Copyright IBM Corporation 2013

Actions subject to authority checking
• Users of the IBM Integration Explorer and Integration Toolkit without
“read”, “write”, and “run” authority for the integration node or integration
servers are restricted from accessing those resources
• Java program that uses the IBM Integration API to manage the
integration node
• All the following commands:
mqsichangeresourcestats
mqsireportresourcestats
mqsicreateexecutiongroup
mqsideleteexecutiongroup
mqsideploy
mqsilist
mqsimode
mqsireloadsecurity
mqsistartmsgflow
mqsistopmsgflow

© Copyright IBM Corporation 2013

Activating integration node administration authority
1. Stop the integration node
Example: mqsistop IB9NODE

2. Run the mqsichangebroker command with -s active option

Example: mqsichangebroker IB9NODE -s active

3. Start the integration node

Example: mqsistart IB9NODE

© Copyright IBM Corporation 2013

Authorization queues
Integration node Show system
queue manager queues
and queues

Authorization
queues

• One local queue for integration node authorization

• One alias queue for each integration server, for integration server authorization

© Copyright IBM Corporation 2013

Authorization queue management
• When integration node is created:
– Authorization queues are created
– Default permissions of inquire, put, and set authority are assigned to the
integration node
– Inquire, put, and get authority is granted to the integration server and its
properties for the mqbrkrs group
• When an integration node is deleted:
– All authorization queues are saved
– An optional flag (-s) also deletes security queues
Example: mqsideletebroker IB9NODE -s
• When deleting an integration server, integration node attempts to
delete the associated authorization queue

© Copyright IBM Corporation 2013

Authorization process
• Integration node checks authorization queues for each administration
action
– Integration node does not put or get messages from the authorization queues
– Integration node requires WebSphere MQ altuser authority to check permissions
• Use WebSphere MQ Explorer and commands to manage permissions
– Permissions can be changed without an integration node restart
• User ID that is a member of the mqm group has authority to all
WebSphere MQ objects
• On Windows, a user ID that is a member of the Administrators
security group automatically has authority to all WebSphere MQ
objects

© Copyright IBM Corporation 2013

Required authority for connecting to the integration node
• All applications are written to the IBM Integration API
• Users of the IBM Integration Explorer and the Integration Toolkit
require permissions that are based on their expected actions

WebSphere MQ
Object Name permissions
Queue manager Queue manager that is associated with • Connect
the integration node • Inquire
Queue SYSTEM.BROKER.DEPLOY.QUEUE • Put
Queue SYSTEM.BROKER.DEPLOY.REPLY • Get
• Put
Queue SYSTEM.BROKER.AUTH • Inquire

© Copyright IBM Corporation 2013

Authorization queue limitations
• Due to the size limitation of a WebSphere MQ queue name, it might be
necessary to truncate the integration server name
• If two integration servers have similar names and share a truncated
name, then they share integration node authorization queue
• WebSphere MQ queue names have a more restrictive set of characters
than an integration server name
– Any characters that are not allowed are replaced with an underscore ( _ )
• Authorization queue names must exactly match case of the integration
server name

© Copyright IBM Corporation 2013

Setting WebSphere MQ permissions for Integration Bus
IBM Integration Bus WebSphere MQ
Permission Permission

Inquire/Read +inq

Put/Write +put

Set/Run +set

• Set the corresponding WebSphere MQ permission on an integration node

authorization queue to grant a user the IBM Integration Bus permission
Examples:
– Setting put on SYSTEM.BROKER.AUTH for group admin
grants write authority for all users in group admin to the integration node
– Setting inq on SYSTEM.BROKER.AUTH.default for group dev
grants read authority for all users in group dev for the integration server that is
named ‘default’
– Setting set on SYSTEM.BROKER.AUTH.iserver1 for group dev
grants run authority for all users in group dev for the integration server that is
named ‘iserver1’
© Copyright IBM Corporation 2013
Tasks and authorizations
Task Authorization Queue
Set integration node properties Inquire and Put SYSTEM.BROKER.AUTH
View integration node properties Inquire SYSTEM.BROKER.AUTH
Create, delete, or rename integration Inquire and Put SYSTEM.BROKER.AUTH
servers

List integration servers Inquire SYSTEM.BROKER.AUTH

Start or stop integration servers Inquire SYSTEM.BROKER.AUTH
Set SYSTEM.BROKER.AUTH or
SYSTEM.BROKER.AUTH.IS

Set integration server properties, Inquire SYSTEM.BROKER.AUTH

deploy, or delete a resource from an
integration server Put SYSTEM.BROKER.AUTH.IS

Start or stop message flows Inquire SYSTEM.BROKER.AUTH

Set SYSTEM.BROKER.AUTH.IS
List message flows and other Inquire SYSTEM.BROKER.AUTH
deployed objects
Inquire SYSTEM.BROKER.AUTH.IS
© Copyright IBM Corporation 2013
Creating authorization permissions (1 of 2)

1
In IBM Integration Explorer, right-click
an authorization queue and click
Object Authorities > Manage
Authority Records

2
Select a queue under
Specific Profiles and
then click New to create a
new profile
© Copyright IBM Corporation 2013
Creating authorization permissions (2 of 2)

3
Enter the group or user name
(based on Entity type)

4
Set permissions

5
Click OK
© Copyright IBM Corporation 2013
Granting and revoking authority from a command
• setmqaut command grants and revokes authorities cumulatively
• Command is cumulative
– Set authorities explicitly on each setmqaut command to avoid retaining
unwanted pre-existing authorities
– Granting and revoking is achieved by specifying -all to remove all authorities,
followed by the required authorities
• Use the dspmqaut command to check that object authorities are set
correctly

© Copyright IBM Corporation 2013

setmqaut examples
• Grant run authority and retain any pre-existing authorities:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1
+set

• Grant run authority only and do not retain pre-existing authorities:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1
-all +set

• Grant write authority only for all integration servers:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.** -g group3
-all +put

• Revoke run and write authority for a specific integration server that is
called “default”:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default
-g group5 -set -put

© Copyright IBM Corporation 2013

Deactivating integration node administration authority
1. Stop the integration node.
Example: mqsistop IB9NODE

2. Run the mqsichangebroker command with -s inactive option.

Example: mqsichangebroker IB9NODE -s inactive

3. Restart the integration node.

Example: mqsistart IB9NODE

© Copyright IBM Corporation 2013

 Message flow security

© Copyright IBM Corporation 2013

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 8.0
Message flow security
• End-to-end processing of a message through a message flow is
secured based on identity credentials that are carried in that message
instance
– Controlled by Runtime Security Manager by using security profiles that the IBM
Integration Bus administrator configures
– Requires external security provider such as LDAP or Tivoli Federated Identity
Manager
• Authorization verifies that an identity token has permission to access a
message flow
• Authentication establishes the identity of a user or system and verifies
that the identity is valid
• Identity mapping maps an identity in one realm to another identity in a
different realm
• Identity and security token propagation enables the identity and
security tokens (associated with each message) to propagate
throughout a message flow, and to target applications through output or
request nodes
© Copyright IBM Corporation 2013
Security profiles
• Define the security operations to be completed in a message flow at
SecurityPEP nodes and security-enabled input and output nodes
• Configured by the integration node administrator in the BAR File editor
before deploying a message flow
• Accessed by the security manager at run time
• Identify the external security provider
– IBM Tivoli Federated Identity Manager V6.1
– WS-Trust v1.3 compliant security token servers (including Tivoli Federated
Identity Manager V6.2)
– Lightweight Directory Access Protocol (LDAP)
• Can be created in IBM Integration Explorer or by using the
mqsicreateconfigurableservice command

© Copyright IBM Corporation 2013

Security profile property

• Set to No Security to explicitly turn off security for

the node
• Leave blank if the node inherits the Security profile
property that is set at the message flow level
• Set to the name of a specific security profile
• If the named security profile does not exist in the run
time, the message flow fails to deploy

© Copyright IBM Corporation 2013

 Creating a security profile
In IBM Integration Explorer:
1. Right-click the integration node and click Properties.
2. Select the Security and Policy option, and click Security Profiles.
3. Click Add to create a profile and add it to the list.
4. Configure the security profile.
5. Click Finish.

In a command
1. Open the IBM Integration Console.
2. Enter the mqsicreateconfigurableservice command.
Example:
mqsicreateconfigurableservice IB9NODE -c SecurityProfiles -o LDAP -n
authentication,authenticationConfig,authorization,authorizationConfig,
propagation –v
"LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com\",LDAP,
\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,o=acme.com\",TRUE"

© Copyright IBM Corporation 2013

Security profile configuration example

© Copyright IBM Corporation 2013

Identity and security token propagation
• Enables identity and security tokens to be propagated throughout a
message flow, and on to target applications through output or request
nodes
– Input node extracts security tokens if it is configured with a security profile at
deployment time
– Output node propagates an identity if it is configured with a security profile that
enables propagation at deployment time
• Output nodes that support identity propagation:
– CICSRequest
– HTTPRequest
– IMSRequest
– MQOutput
– SAPRequest
– SCAAsyncRequest
– SCARequest
– SOAPAsyncRequest
– SOAPRequest

© Copyright IBM Corporation 2013

Configuring for identity propagation
1. In the IBM Integration Explorer, right-click the BAR file, and then click
Open with > Bar Editor.
2. On the Manage tab, select the flow or node on which to set the
security profile.
3. In the Properties view Security profile field, enter the name of the
security profile.
4. Save the BAR file.

© Copyright IBM Corporation 2013

Secure sockets layer (SSL)
• Protocol to allow transmission of secure data over an unsecured
network
• Combines these techniques:
– Symmetric and secret key encryption
– Asymmetric and public key encryption
– Digital signature
– Digital certificates
• Protection
– Client/server
– Queue manager and queue manager channels
• To combat security problems
– Eavesdropping: Encryption techniques
– Tampering: Digital signature
– Impersonation: Digital certificates

© Copyright IBM Corporation 2013

Implementing SSL authentication in IBM Integration Bus
• Set up a public key infrastructure (PKI):
1. Create a keystore file or a truststore
2. Create a self-signed certificate for test use
3. Import a certificate for production use
4. View details of a certificate
5. Extract a certificate
6. Add a signer certificate to the truststore
7. List all certificates in a keystore
8. *Configure PKI at integration node level
9. *Configure PKI at integration server level
• *Configure the nodes to use SSL

*These steps are specific to IBM Integration Bus

© Copyright IBM Corporation 2013
Configuring PKI at the integration node level (1 of 2)
• Define the integration node registry properties that identify the location,
name, and password of the keystore and truststore files.

1. Start the integration node.

2. Show the current settings of the integration node registry properties:
mqsireportproperties iNodeName -o BrokerRegistry –r
3. Set the keystore property:
mqsichangeproperties iNodeName -o BrokerRegistry
-n brokerKeystoreFile
-v C:\IIB\MQSI\9.0.0.0\MyBrokerKeystore.jks
4. Set the truststore property:
mqsichangeproperties iNodeName -o BrokerRegistry
-n brokerTruststoreFile
-v C:\IIB\MQSI\9.0.0.0\MyBrokerTruststore.jks
5. Stop the integration node.
© Copyright IBM Corporation 2013
Configuring PKI at the integration node level (2 of 2)
6. Set the password for the keystore:
mqsisetdbparms iNodeName -n brokerKeystore::password
-u ignore -p keystorePass
7. Set the password for the truststore:
mqsisetdbparms iNodeName -n brokerTruststore::password
-u ignore -p truststorePass
8. Start the integration node.
9. Show and verify the integration node registry properties:
mqsireportproperties iNodeName -o BrokerRegistry –r

© Copyright IBM Corporation 2013

Configuring PKI at the integration server level (1 of 2)
Define the ComIbmJVMManager properties for the required integration server to
identify the location, name, and password of the keystore and truststore files.
1. Start the integration node.
2. Show the current settings of the ComIbmJVMManager properties.
mqsireportproperties iNodeName -e iServerName
-o ComIbmJVMManager -r
3. Set the keystore property.
mqsichangeproperties iNodeName -e iServerName
-o ComIbmJVMManager -n keystoreFile
-v C:\IIB\MQSI\9.0.0.0\MyNodeServer_name Keystore.jks
4. Set the keystore password key property.
mqsichangeproperties iNodeName -e iServerName
-o ComIbmJVMManager -n keystorePass
-v iServerName_Keystore::password
5. Set the truststore property.
mqsichangeproperties iNodeName -e iServerName
-o ComIbmJVMManager -n truststoreFile
-v C:\IIB\MQSI\9.0.0.0\MyNodeServer_name Truststore.jks

© Copyright IBM Corporation 2013

Configuring PKI at the integration server level (2 of 2)
6. Set the truststore password key property:
mqsichangeproperties iNodeName -e iServerName
-o ComIbmJVMManager -n truststorePass
-v iServerTruststore::password
7. Stop the integration node.
8. Set the password for the keystore.
mqsisetdbparms iNodeName -n iServerName_Keystore::password
-u ignore -p keystore_pass
9. Set the password for the truststore.
mqsisetdbparms iNodeName –n iServerName_Truststore::password
-u ignore -p truststore_pass
10. Start the integration node.
11. Show and verify the ComIbmJVMManager properties.
mqsireportproperties iNodeName -e iServerName
-o ComIbmJVMManager -r

© Copyright IBM Corporation 2013

Configuring SSL and JMS nodes
1. In the JMS node properties:
– Select JMS provider name
– Configure Location JNDI bindings with the URL that points to the JNDI
bindings
– Configure the Connection factory name to specify a pre-configured
connection factory that is enabled for SSL connectivity
2. Make the client JAR files available to the integration node

© Copyright IBM Corporation 2013

 IBM Integration web
console security

© Copyright IBM Corporation 2013

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 8.0
Controlling access to IBM Integration web console
• Permissions are checked to determine a web user's authorization to
perform tasks in the web console
• Access is controlled by associating users with roles
• Use the mqsiwebuseradmin command to:
– Create a web user
– Set or change a web user's password
– Remove a web user
– Assign a web user to a role

© Copyright IBM Corporation 2013

Role-based security
• A role is a system user account that has a set of security permissions
that are assigned to it
• Each web user account is associated with a particular role
• Grant the same authorizations to multiple users by assigning them to
the same role, but each user can be assigned to only one role

© Copyright IBM Corporation 2013

Granting access based on roles
1. Create a system user account on the operating system for each role.
2. Grant permissions on the authorization queues for the system user
accounts for each role.
3. Enable integration node administration security by setting the -s
parameter to active.
4. Use the mqsiwebuseradmin command to create the web user
accounts.

© Copyright IBM Corporation 2013

Administer web user accounts command
mqsiwebuseradmin brokerSpec -l [-u useracct -a password]

mqsiwebuseradmin brokerSpec -c | -m | -d
-u useracct [-a password] [-r role] [-w timeoutSecs]
[-v traceFileName]

• List (-l) the web users that are defined within the integration node, and
the roles with which they are associated
• Create (-c) a web user account where the user account parameter
(-u) is the account name
– If role (-r) is not specified, a default role is created with the same name as the
web user account.
• Modify (-m) a web user account
• Delete (-d) a web user

© Copyright IBM Corporation 2013

Unit summary
Having completed this unit, you should be able to:
• Configure integration node administration security to control the
authorities that developers and administrators use to complete their
specific tasks
• Use security profiles to implement message flow security
• Implement security for the IBM Integration web console

© Copyright IBM Corporation 2013

Checkpoint questions
1. True or false: Authorization permissions on the
SYSTEM.BROKER.AUTH queue must be configured before a user
can develop message flows.

2. Select the option that correctly defines the relationship between

WebSphere MQ permissions and integration node authorization.
a. Inquire = Read, Set = Write, Put = Run
b. Inquire = Run, Set = Write, Get = Read
c. Inquire = Read, Set = Run, Put = Write

© Copyright IBM Corporation 2013

Checkpoint answers
1. False. Developers do not need authorization to create message
flows. If integration node administration is activated, developers
require extra authorization to deploy and test message flows if they
do not belong to a group that has the required permissions.

2. c

© Copyright IBM Corporation 2013

 Exercise 4

Administering IBM Integration Bus

security

© Copyright IBM Corporation 2013

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 8.0
Exercise objectives
After completing this exercise, you should be able to:
• Activate administration authority
• Assign security permissions for integration nodes, integration servers,
and message flows with IBM Integration Explorer and IBM Integration
Bus commands
• Use the IBM Integration API Exerciser to test the secured environment

© Copyright IBM Corporation 2013