Method and system for access control of a message queue
First Claim
1. A method of controlling access to a message queue of a receiver in a message queuing system with asynchronous message delivery, comprising the steps of:
- registering with a trusted server of the message queuing system a public key of a user of the message queuing system associated with a security identification (SID) of the user for identifying the user, the trusted server being a separate entity from the receiver;
forming a digital signature for a message generated by an application run by the user using a private key associated with the public key of the user;
transmitting to the receiver a message packet including the message, the public key of the user, and the digital signature;
verifying, by the receiver, the signature transmitted with the message using the received public key;
querying, by the receiver, the trusted server to obtain the SID associated with the public key transmitted with the message; and
determining whether to allow the message to be placed in a message queue of the receiver based on the obtained SID.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for controlling access to a message queue in a message queuing system utilizes a certificate of a user who sends a message to authenticate the message and uses a directory service of the message queuing system as a trusted entity in the authentication process. The certificate used for message authentication may be an internal certificate issued by the message queuing system or an external certificate issued by a certification authority. The certificate is registered with the directory service of the message queuing system and stored with a security identification (SID) of the user. When the user runs an application which sends a message to a target queue, the sending computer signs the message with a private key associated with the certificate and sends the message with the digital signature and the certificate to the receiving computer. When the receiving message queue (MQ) server receives the message packet, it verifies the digital signature of the message. If the signature is verified, the receiving MQ server queries the message queuing system to obtain the SID associated with the certificate. The MQ server then decides whether the message with the SID should be placed in the target queue by checking a security descriptor of the target queue.
203 Citations
24 Claims
-
1. A method of controlling access to a message queue of a receiver in a message queuing system with asynchronous message delivery, comprising the steps of:
-
registering with a trusted server of the message queuing system a public key of a user of the message queuing system associated with a security identification (SID) of the user for identifying the user, the trusted server being a separate entity from the receiver;
forming a digital signature for a message generated by an application run by the user using a private key associated with the public key of the user;
transmitting to the receiver a message packet including the message, the public key of the user, and the digital signature;
verifying, by the receiver, the signature transmitted with the message using the received public key;
querying, by the receiver, the trusted server to obtain the SID associated with the public key transmitted with the message; and
determining whether to allow the message to be placed in a message queue of the receiver based on the obtained SID. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A message queuing system for asynchronous delivery of a message from a sender to an access-controlled message queue of a receiver, comprising:
-
a trusted server for registering a public key of a user and storing a corresponding security identification (SID) of the user for identifying the user, the trusted server being a separate entity from the receiver;
a routine for generating a digital signature for a message sent by an application run by the user using a private key associated with the public key;
a message queue server of the sender for transmitting the message with the public key and the digital signature to the receiver; and
a message queue server of the receiver for verifying the digital signature using the received public key, querying the trusted server to obtain the SID corresponding to the public key, and determining whether to allow the message to be placed in a message queue of the receiver based on the obtained SID. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable medium having computer-executable components comprising:
-
a trusted server component for registering a public key of a user and storing a corresponding security identification (SID) of the user for identifying the user;
a signing component for generating a digital signature for a message sent by an application run by the user using a private key associated with the public key;
a sending message queue server component for transmitting the message with the public key and the digital signature to the receiver; and
a receiving message queue server component for verifying the digital signature using the received public key, querying the trusted server to obtain the SID corresponding to the public key, and determining whether to allow the message to be placed in a message queue of the receiver based on the obtained SID, the trusted server being a separate entity from the receiving message queue server.
-
-
20. A method of controlling access to a message queue of a receiver in a message queuing system with asynchronous message delivery, comprising the steps of:
-
receiving a message from a sender of the message queuing system to a destination message queue, the message sent with a public key of a user sending the message and a digital signature of the message formed with a private key associated with the public key;
verifying, by the receiver, the signature transmitted with the message using the received public key;
querying, by the receiver, a trusted server of the message queuing system to obtain a security identification (SID) corresponding to the public key received by the receiver and identifying a user sending the message, the trusted server being a separate entity from the receiver; and
checking a security descriptor for the destination queue to determine whether the message is allowed to be placed in the destination message queue based on the obtained SID. - View Dependent Claims (21, 22, 23, 24)
-
Specification