Tivoli Access Manager for Business Integration allows you to consolidate the administration of access control policy across multiple servers. Administration is performed via a Web-based, central administration tool that replaces the need to have an administrator set these access control rules locally at each server's console. This administration tool also supports multiple levels of delegation allowing resource owners to maintain and manage control of their own resources.
Application level data protection differs from link level or channel level data protection in that the integrity and confidentiality of messages can be demonstrated, not just while messages are in transit from system to system, but also while they were under the control of WebSphere MQ itself (i.e., resident in a queue). This is critical for customers using WebSphere MQ to process personally identifiable information or other types of sensitive data, such as high value financial transactions.
Customers can deploy a single security management solution for WebSphere MQ to protect the messaging associated with their core line of business applications as the messages traverse across both mainframe and distributed servers.
Tivoli Access Manager for Business integration allows you to remotely manage which applications can put and get messages from specific queues or queue managers. When an application makes a call to the WebSphere MQ interface to put a message in the queue, Tivoli Access Manager for Business Integration intercepts and analyzes the call to verify whether the sending application is authorized to access the requested queue. If the call is authorized, it determines -- based on a policy you define - whether the data in the transaction should be digitally signed, signed and encrypted, or passed on unchanged before placing the message in the requested queue. Administration of these security policies is done remotely, using a Web-based tool that replaces the need for administrators to visit each physical system. In addition to the authorization services that Tivoli Access Manager for Business Integration provides for WebSphere MQ, it also provides an authorization plug-in for the IBM WebSphere Business Integration brokers. This allows customers to consolidate the administration of security policies covering access control of both queues and queue managers along with the publish/subscribe topics into a single Web-based administration tool.
Tivoli Access Manager for Business Integration uses public key-based credentials for application authorization. It uses the matching private key to digitally sign message data, allowing later verification that the message has not been tampered with while being processed by WebSphere MQ (both while in a queue and while in transmission to a destination server). Tivoli Access Manager for Business Integration supports public key credentials issued by popular certificate authorities including VeriSign, Entrust, Baltimore and Netscape. Credentials generated by other certificate authorities that follow the X.509, Version 3 standard may also be compatible.
By signing and encrypting your sensitive messages before they even get to WebSphere MQ for processing, Tivoli Access Manager for Business Integration allows you to demonstrate whether or not the integrity and confidentiality of these messages has been compromised while they were under the control of WebSphere MQ. You can choose the encryption strength (RC2 128, DES 64, Triple DES 128, Advanced Encryption Standard (AES)128, or AES 256) that best meets your security needs.
Tivoli Access Manager for Business Integration supports applications written to the WebSphere MQ native programming API and the Java Messaging Service API (bindings mode on distributed servers and 100% Java mode on distributed clients). It supports systems running IBM WebSphere MQ queue manager services as well as systems running the IBM WebSphere MQ client on a variety of platforms. On mainframe servers, Tivoli Access Manager for Business Integration is designed to support IBM Customer Information Control System (CICSĂ’), IBM Information managements System (IMSĂ”) and Batch applications that use either the WebSphere MQ native API or the Java Messaging Service API.
Tivoli Access Manager for Business Integration shares a common set of shared services including a central security policy manager, a central credential directory and a Web Portal Manager. Once one is installed from a Tivoli product with these services, they will not need to be installed again, reducing costly maintenance and re-implementation.