Am writing this blog to provide an overview of working of Integration Node’s Administrative Security in v9 & v10. This blog does not cover detailed steps for implementing administrative security for integration node.
Integration Node’s Administrative Security in IIB v9
As MQ was a required component of IIB run-time in IIB v9, most of the security was implemented using MQ, as I have tried to illustrate in the below figure
To enable / disable administrative security for Integration Node in IIB v9, the command to be used is
mqsichangebroker <Integration Node> -s active / inactive
Integration Node’s Administrative Security in IIB v10
IBM Integration Bus v10, introduced flexibility in security by providing option for using either File or MQ to implement Integration Node security. Also accordingly it has introduced new commands mqsichangeauthmode / mqsireportauthmode & mqsichangefileauth / mqsireportfileauth for the file-based authorization.
Administrative Security using MQ-Based Authorization
Have tried to illustrate both MQ-based and File-based authorization in IIB v10. The below figure illustrates for MQ-based authorization, if Integration Node is associated with a queue manager
To enable MQ-based administrative security for the Integration Node in IIB v10, the command to be used is
mqsichangeauthmode <Integration Node> -s active -m mq
For MQ-based authorization, access level is controlled using the Authorization queues – 1 for Integration Node (SYSTEM.BROKER.AUTH) & 1 for each Integration Server (SYSTEM.BROKER.AUTH.<IntegrationServer Access granted / revoked for system level users / groups using the mq command setmqaut command
Administrative Security using File-Based Authorization
The below figure illustrates file-based authorization in IIB v10, that can be used irrespective of whether Integration Node is associated to a queue manager or not.
To enable File-based administrative security for the Integration Node in IIB v10, the command to be used is
mqsichangeauthmode <Integration Node> -s active -m file
For file based security, access level is maintained using the file Permissions, located in the path
<MQSI_WORKPATH>/registry/<IntNode>/CurrentVersion/Security/node/<IntNode>/
Below image provides the snapshot of the Permissions file to indicate how file based authorization is maintained by Integration Node
Access is granted / revoked for system level users, who are specified as Roles, using the command mqsichangefileauth
mqsichangefileauth <IntegrationNode> -r <role> -p <permissions>
Kindly refer to the article in IBM developerworks for more information on file-based authorization
No comments:
Post a Comment