| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Implementing Security in WMB |
« View previous topic :: View next topic » |
| Author |
Message
|
| PEPERO |
 Posted: Wed Sep 24, 2014 1:34 am Post subject: Implementing Security in WMB |
 |
|
Disciple
Joined: 30 May 2011
Posts: 177
|
Hi all;
I strongly believe that most of the security requirments have being designed and implemented in the WMB (including mechanisms for security identities, authorization , confidentiality and so on ).
I want to consum the power of our WMB server for the message brokering only , since i've found the server is CPU bounded.
hence we are going to use a proxy to handle the security considerations accessing WMB's web services. Suppose this architecture is designed for a high volume rated transactions environment.
Now i want to know that is there any recommendation from IBM against this issue? Is there any documents related to help us deside what is the best practice to resolve the question of using or avoiding the WMB's internal security policies under these circumstances?
Also what is your recommendation?
Last edited by PEPERO on Wed Sep 24, 2014 11:02 pm; edited 1 time in total |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Sep 24, 2014 5:12 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Among other things, Broker's WS-Security support has only a subset of the larger features.
So, using a proxy that supports the full implementation of the spec gives you a wider range of clients you can accept.
Since you want to limit the use of the machine's CPU, this means you will have to put the proxy on a separate machine.
Since the proxy is on a separate machine, you will need to evaluate the security risk of the extra network hop to determine if you need to use SSL or not. You may want to use SSL simply to avoid making it possible for other internal applications to bypass the proxy. You could also avoid that with very tight network access rules.
Setting up a proxy is very easy. You have three main choices: Use a J2EE server and the Proxy servlet; use an Apache server and mod-proxy and export the config of a broker; or use a WAS IBM HTTP Server and export the plugin.conf from a broker.
Which one you want to use depends on your internal requirements. You would then configure the relevant container to handle the WS-Security stuff. |
|
| Back to top |
|
|
| PEPERO |
| Posted: Wed Sep 24, 2014 7:39 am Post subject: |
|
|
Disciple
Joined: 30 May 2011
Posts: 177
|
Thanks for your notes.
I prefer using IBM WAS using a proxy servlet. Is there a reliable fully implemented (firewall layers) proxy servlet currently available to be prepared from a third party or it should be developed? I don't want to reinvent the wheel.
Previously i tried the IBM HTTPPROXYSERVLET servlet published with IBM WMB for HTTP traffic handling issue. But it was used for load balancing only. Is there any other version of this servlet available to be used for security requirments? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Sep 24, 2014 8:12 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| PEPERO wrote: |
Thanks for your notes.
I prefer using IBM WAS using a proxy servlet. Is there a reliable fully implemented (firewall layers) proxy servlet currently available to be prepared from a third party or it should be developed? I don't want to reinvent the wheel.
Previously i tried the IBM HTTPPROXYSERVLET servlet published with IBM WMB for HTTP traffic handling issue. But it was used for load balancing only. Is there any other version of this servlet available to be used for security requirments? |
The IBM HTTP Proxy Servlet is the one I meant, and is the only one available and the only one that should be used.
The proxy servlet exposes URLS in WAS that will get forwarded to Broker.
You just then need to enable WAS to add security to the URLs exposed by the proxy servlet or the servlet itself, using the normal methods that WAS uses. |
|
| Back to top |
|
|
| PEPERO |
| Posted: Wed Sep 24, 2014 8:26 am Post subject: |
|
|
Disciple
Joined: 30 May 2011
Posts: 177
|
| Good. I get it. Thanks so much for your accompany. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
