This invention relates generally to message queuing systems, and more particularly to access control of a message queue in a message queuing system.
A message queuing system implements asynchronous communications which enable an application in a distributed processing network to send messages to, and receive messages from, other applications. A message may contain data in any format that is understood by both the sending and receiving applications. When the receiving application receives a request message, it processes the request according to the content of the message and, if required, sends a response message back to the original sending application. The sending and receiving applications may be on the same machine or on separate machines connected by a network. While messages are in transit between the sending and receiving applications, the message queuing system keeps the messages in holding areas called message queues. The message queues protect messages from being lost in transit and provide a place for an application to look for messages sent to it when it is ready.
In the context of distributed processing, asynchronous communications provide significant advantages over synchronous communications. Communications are synchronous when the sender of a request must wait for a response from the receiver of the request before it can proceed to perform other tasks. If the receiving application is slow or for any reason cannot promptly process the request, a significant amount of time of the sending application will be wasted in waiting. Moreover, with synchronous communications, the sending application must wait for the receiving application to return a response before it can make a request to another application.
In contrast, with asynchronous communications in the form of exchanging messages, an application can send multiple request messages to different receiving applications at one time and can turn immediately to other tasks without having to wait for any of the receiving applications to respond to the request messages. The messages can be sent regardless of whether the receiving applications are running or reachable over the network. The message queuing system is relied upon to ensure that the messages are properly delivered. The asynchronous message delivery also makes it easy to journal the communications and allows a receiving application to prioritize the processing of the messages.
The asynchronous message delivery, however, makes it more difficult to implement message security. It is important for a message queue. (MQ) server to selectively allow or deny permission to users or groups of users to send messages to a given message queue. A conventional way to implement access control for a data file is to use a security descriptor which contains a discretionary access control list indicating which users or groups are given or denied access to the file. When a user attempts to access the file, the credentials of the user are checked against the security descriptor to determine whether the access request should be allowed or denied.
This conventional scheme, however, is not directly applicable in a message queuing system where the communications are asynchronous. A user can run an application that sends a message to a destination queue and then log off before the message reaches the receiving MQ server which maintains the destination queue. In fact, the user can log off even before the message leaves the sending computer. If the message arrives at the receiving server after the user has logged off, the user credentials are no longer available for the receiving server to verify the identity of the user who sent the message.
It has been proposed to implement access control based on a unique security identification (SID) assigned to each user. When a message is sent, the user""s SID is added to the message. Upon receiving the message, the receiving server uses the SID as an unambiguous identification of the user who sent the message. The server checks the security descriptor associated with the destination queue to determine whether the user or any of the groups of which the user is a member is permitted to place messages in the queue. The problem with this scheme is that the SID received with the message is not by itself a reliable indication of the true identity of the person who sent the message. This is because a SID has to be known to the public to serve the function of identifying a user. In other words, it is not a secret. Thus, a hacker may hack the sending computer to insert someone else""s SID into a message. The SID associated with a message may also be tampered with when the message traverses the network to the receiver.
In accordance with the present invention, there is provided a method and system for controlling access to a message queue in a message queuing system with asynchronous message delivery. The access control utilizes a user certificate to authenticate a message sent by the user and uses a database of the message queuing system as a trusted entity in the authentication process. When the user runs an application which sends a message to a target queue, a digital signature for the message is generated with a private key associated with a selected certificate of the user. The message is sent with the digital signature and the certificate. When the receiving MQ server receives the message packet, it verifies the digital signature of the message. If the signature is verified, the receiving MQ server queries the database of the message queuing system to obtain the security identification (SID) that is associated with the certificate and therefore identifies the user who sent the message. The MQ server then checks a security descriptor of the target queue to decide whether the message with the SID should be placed in the target queue.
It is a feature of the invention that the certificate used in the message queue access control may be an internal certificate generated by the message queuing system. The use of an internal certificate avoids the need for the user to obtain an external certificate from a certification authority. Alternatively, the user can select to use an external certificate which provides compatibility with other certificate-based authentication operations.
The advantages of the invention will become apparent with reference to the following detailed description when taken in conjunction with the drawings in which: