More and more users are exploring ways to use messaging technologies and applications to exchange business transaction information in enterprisewide and intrabusiness settings. Insurance companies want better means to interact with agents and brokers, carmakers pursue improved application-level ties to their dealerships, TV broadcast networks seek tighter business links with their affiliates and so on. On a private network, such applications need at least a modicum of security. On a public network such as the Internet, or a semipublic network such as Tymnet or IVANS, the need for security is infinitely greater.

To view the Report card.When message-oriented middleware (MOM) carries sensitive information across a semipublic or public network, protecting that information requires thoughtful design, carefully crafted procedures and end-to-end (application-level, machine-level and message- packet-level) security.

To learn which MOM product offers users the highest level of protection, we decided to put two contenders--Candle Corp.'s MQSecure version 100 and Microsoft Corp.'s Message Queue Server (MSMQ) version 1.0--through their paces. As part of our evaluation, we tested them for ease of use, unobtrusive integration into applications via a simple API, and both protocol and platform neutrality.

But, above all, we explored the two products' ability to provide end-to-end security. Our tests probed how well the products assure the sender's authenticity, protect message content from damage or alteration, and shield the content of messages from prying eyes (see "MOM's Security Methods" on page 105).

MQSecure beefs up security within IBM MQSeries environments; MSMQ is a MOM product with a degree of security included in its messaging functions. If your network uses IBM Corp.'s MQSeries along with DCE (Distributed Computing Environment) products, be aware that you can invoke DCE security functions from within an MQSeries-based application, perhaps making MQSecure unnecessary. But, the impenetrability of Kerberos notwithstanding, embracing DCE for its security features alone isn't worthwhile.

We also tested a third MOM product, Ambrosia Event Management System version 2.1, which has since been withdrawn from the market; its vendor, Open Horizon, closed down its business operations shortly after we completed our evaluations of its offering.

Other MOM products, such as Digital Equipment Corp.'s DECMessage (recently acquired by BEA Systems for inclusion in its Tuxedo TP monitor), are intended for private network use and contain virtually no security features. However, BEA states that it plans to add security to its newly acquired MOM component. A Swedish software company, Verimation, lets applications embed authorization text strings in messages sent via its VCOM messaging product. And NCR says its Top End offers messaging security; the company did not respond to our request to evaluate the product for testing.

How We Tested To examine security in a message-oriented middleware environment, we simulated a TCP/IP-based public network link between two companies. Using this Web-based connection, our test application exchanged data over the Internet.