Integration Node Administration Security – V9 vs V10

Am writing this blog to provide an overview of working of Integration Node’s Administrative Security in v9 & v10. This blog does not cover detailed steps for implementing administrative security for integration node.

Integration Node’s Administrative Security in IIB v9

As MQ was a required component of IIB run-time in IIB v9, most of the security was implemented using MQ, as I have tried to illustrate in the below figure

IIB9_MQSecurity

To enable / disable administrative security for Integration Node in IIB v9, the command to be used is

mqsichangebroker <Integration Node> -s active / inactive

Integration Node’s Administrative Security in IIB v10

IBM Integration Bus v10, introduced flexibility in security by providing option for using either File or MQ to implement Integration Node security. Also accordingly it has introduced new commands mqsichangeauthmode / mqsireportauthmode & mqsichangefileauth / mqsireportfileauth for the file-based authorization.

Administrative Security using MQ-Based Authorization

Have tried to illustrate both MQ-based and File-based authorization in IIB v10. The below figure illustrates for MQ-based authorization, if Integration Node is associated with a queue manager

IIB10_MQSecurity

To enable  MQ-based administrative security for the Integration Node in IIB v10, the command to be used is

mqsichangeauthmode <Integration Node> -s active -m mq

For MQ-based authorization, access level is controlled using the Authorization queues – 1 for Integration Node (SYSTEM.BROKER.AUTH) & 1 for each Integration Server (SYSTEM.BROKER.AUTH.<IntegrationServer>). Access granted / revoked for system level users / groups using the mq command setmqaut command

Administrative Security using File-Based Authorization

The below figure illustrates file-based authorization in IIB v10, that can be used irrespective of whether Integration Node is associated to a queue manager or not.

IIB10_FileSecurity

To enable  File-based administrative security for the Integration Node in IIB v10, the command to be used is

mqsichangeauthmode <Integration Node> -s active -m file

For file based security, access level is maintained using the file Permissions, located in the path

<MQSI_WORKPATH>/registry/<IntNode>/CurrentVersion/Security/node/<IntNode>/

Below image provides the snapshot of the Permissions file to indicate how file based authorization is maintained by Integration Node

permission

Access is granted / revoked for system level users, who are specified as Roles, using the command mqsichangefileauth

mqsichangefileauth <IntegrationNode> -r <role> -p <permissions>

Kindly refer to the article in IBM developerworks for more information on file-based authorization

http://www.ibm.com/developerworks/websphere/library/techarticles/1603_gedupuri-trs/1603_gedupuri.html

For any corrections / suggestions / query please do drop a note to reachnebula@learnibmesb.com (or) reachnebula@gmail.com

Advertisements

One thought on “Integration Node Administration Security – V9 vs V10

  1. Annette says:

    Great! Now I finally understand that the web user accounts can be used when accessing an integration node from the IIB Toolkit. And the Toolkit user does not need to be in mqbrkrs group.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s