Non-repudiation
In addition to specifying a quality of protection, the protected object policy for a queue specifies the audit level for the queue. The audit level can be one of the following:
- all
- Access Manager for Business Integration generates an audit record for each MQOPEN, MQGET, MQPUT, MQPUT1, and MQCLOSE call on a protected queue.
- none
- Access Manager for Business Integration generates no audit records for MQI calls.
Although these audit levels are available on all platforms, additional ones are available for use with Access Manager for Business Integration on AIX, Solaris, HP/UX, Linux Intel and Windows 2000/2003/XP:
- permit
- Records only successful access to Tivoli Access Manager for Business Integration–protected resources
- deny
- Records only denied requests for access to Tivoli Access Manager for Business Integration–protected resources
- admin
- Records OPEN, CLOSE, PUT, and GET operations on protected IBM WebSphere MQ queues
- error
- Records any unsuccessful GET operations which result in messages being sent to the error handling queue.
When an application gets a message from a queue, the audit record for the MQGET call includes the following information:
- The date and time of the MQGET call
- The name of the queue from which the message was retrieved
- The name of the queue manager that owns the queue
- Whether the MQGET call completed successfully
- The message digest algorithm that was used to create the digital signature, if the message was signed
- The Distinguished Name of the sender of the message
- The contents of the MsgId field in the message descriptor of the message
- The contents of the Format field in the message descriptor of the message
Although the audit record contains some information about the message, who sent it, and where and when it was received, other evidence that might be used to provide a non-repudiation service with proof of origin is not recorded. In particular, the audit record does not contain:
- The digital certificate of the sender
- The digital signature of the sender
- The original message
Parent topic:
Access Manager for Business Integration
sy11430_