Securing IBM Integration Bus on z/OS without changing the integration node configuration

Securing IBM Integration Bus on z/OS without changing the integration node configuration

This article shows you how to configure AT-TLS for IBM Integration Bus message flows on z/OS, including the policy agent and TCP/IP stack configuration on z/OS. Simple HTTP-based message flows let you quickly test the setup from a distributed system such as Windows server.  

IBM® Integration Bus (formerly known as IBM WebSphere® Message Broker) is an enterprise service bus (ESB) providing connectivity and universal data transformation for SOA and non-SOA environments. While ESBs and messaging are critical to many businesses, the convenience and speed are accompanied by security threats, including content that can seriously compromise the organization. You can enhance the security of an IBM Integration Bus environment with SSL authentication by using Java™ keystores and truststores in JKS format and configuring Integration Bus to specify the paths and passwords of the keystore and truststore. However, it can be challenging to manage the keys using the Java command keytool on IBM z/OS®, and z/OS system programmers usually prefer to maintain keys in IBM Resource Access Control Facility (RACF).
An alternative way to manage keys for SSL connections on z/OS is to implement Application Transparent -- Transport Layer Security (AT-TLS), which is a part of z/OS Communication Server. AT-TLS provides SSL services on behalf of applications running on z/OS (including IBM Integration Bus on z/OS) and has many advantages over the conventional methods just mentioned. AT-TLS is based on policy, and uses RACF-managed digital certificates and keyrings. Middleware systems programmers do not have to set any SSL-related configuration for IBM Integration Bus running on z/OS. The use of SSL by partner applications transacting with IBM Integration Bus on z/OS is transparent to them.

Download document (pdf)