Security Concepts
This topic gives you a brief overview on how TIBCO BusinessConnect Container Edition secures and protects your data.
Secure Communication Channel
TIBCO BusinessConnect Container Edition achieves secure communication by using HTTPS over SSL/TLS, FTPS over SSL/TLS, or SSHFTP over SSH, where the whole communication pipe is encrypted.
Authentication
Authentication is used to assure the identity of the partner with whom you are communicating. In a communication system, authentication is performed as a part of the handshake process to verify that the messages originate from their stated source. TIBCO BusinessConnect Container Edition authentication is based on X.509 SSL/TLS or SSH certificates.
Authorization
Authorization is the next step in achieving secure communication. It is used to check the configuration database and verify that the sender is authorized to perform the operations and receive certain responses.This is done through trading partner management, where permissions are set through binding the operations. After the sender of a message has been authenticated, TIBCO BusinessConnect Container Edition determines which operations the sender is currently allowed to perform by checking trading partner information in the repository. TIBCO BusinessConnect Container Edition uses repository information to determine how it responds to a message from the partner. In some cases, the partner may not be authorized to perform certain interactions. In order to conceal the information from unauthorized parties and to assure privacy of business data, TIBCO BusinessConnect Container Edition uses data encryption.
Message Encryption
To ensure only the intended recipient reads the data, the message is encrypted by converting plain text into cipher text.
Encryption also achieves privacy or concealing of information from unauthorized parties by using private and public keys combined with the secret key algorithms.
For example, the sender sends a message encrypted using Public Key provided by the recipient and the recipient decrypts the message using its own Private Key.
TIBCO BusinessConnect Container Edition uses either PKI (Public Key Infrastructure) or OpenPGP for public and private keys.
In Public Key encryption, anyone can encrypt a message intended for a recipient, while only the intended recipient is permitted to decrypt such a message. The one who creates the ciphertext message cannot decrypt their own message since they do not have the private key. Only the owner of the matching private key can decrypt the message encrypted with a specific public key.
Digital Signatures
Confidentiality of the business data is protected using encryption whereas digest algorithms protect the data integrity. These algorithms are utilized by digital signature algorithms to provide authentication services.
Authentication using digital signatures is done using S/MIME authentication. It involves adding a digital signature to the outgoing message. Digital signatures bind information to the identity of its originator. They are used to provide data origin authentication and data integrity.
For example, a sender can use their Private Key to add a Digital Signature to a piece of data in order to assure the recipient that the piece of data is originating from the sender, and the partners who have the corresponding Public key can decode this signature.
The process of adding digital signature is contrary to the encryption process used in message and transport encryption.
For detailed information on the various security methods implemented in BusinessConnect Container Edition, see TIBCO BusinessConnect Container Edition Security Guidelines, Security .