Share this page
ActiveMQ MPX Security
The ActiveMQ MPX security features include:
- Data encryption.
- User authentication and access rights.
Data Encryption
A client receives data from an MPX-enabled server configuration over one of two paths:
- Directly from the server
- Indirectly from transmitters and MPX Cache Agents through a MPX Message Broker
The encryption level for data sent directly from the server is specified on the Server Properties dialog box for each individual server configuration. It is possible to have no encryption set for this data path. See the StarTeam Cross-Platform Client online help for more information on setting encryption levels for a server configuration.
All data sent by the transmitters orMPX Cache Agents is encrypted. Each MPX Event Transmitter has its own encryption key. When the server configuration starts a MPX Event Transmitter, it creates a unique encryption key for that instance of the MPX Event Transmitter. When a client opens a project, the server configuration sends the client the MPX Event Transmitter encryption key directly. The client will have one encryption key for each MPX-enabled server configuration it is accessing.
All files and objects sent by the MPX File Transmitter are encrypted. The content is stored in encrypted format by MPX Cache Agents and decrypted only “at the last moment” within the client process.
User Authentication and Access Rights
As users log on to a server configuration, they are identified individually by their user names and as members of the groups to which they belong. This information is stored as an access token for each user. Based on a user’s access rights, the server configuration determines which objects a user can see and which operations that user can perform on those objects.
The caching module in the client enforces the same user access rights set. When a client receives a message from a Message Broker, it verifies whether the user is authorized to view the data in the message. If the user has the necessary access rights, the message is stored in the client cache. Otherwise, that object will not be cached.
In a StarTeam client, you can control detailed access rights for a file: the ability to see the file, see history, check-out, check-in, and so on. For example, you can give someone the "see item and its properties" right but deny the "check-out" right.
However, with the MPX Cache Agent, granting someone the "see item and its properties" right implicitly virtually grants them a "MPX Cache Agent check-out" right. This is because the client can get a file's MD5, which is all that is needed to request a MPX Cache Agent check-out. For environments in which this difference in security "interpretation" matters, you should not deploy MPX Cache Agent or deny the "see item and its properties" right for users who should not check-out the corresponding files.
