Controlling Client Access to WebSphere MQ
ValerieLampkin 27000182R2 Comments (2) Visits (20697)
Security is a hot topic these days and I'd like to explain the basic use of the mcauser attribute for controlling client access for WebSphere MQ.
An inbound channel with a blank MCAUSER value will permit whatever is connecting to administer the local queue manager. To prevent this, some best practices include setting MCAUSER to the ID of the person using the respective channels, and give them the required access. The MCAUSER attribute of the SYSTEM.DEF.SVRCONN should be set to something that has no authorities on the server.
Access control in WebSphere MQ is based upon user IDs. In the case of MQ Clients, the server-connection message channel agent makes MQI calls on behalf of MQ Clients. You can select an alternative user ID for the server-connection MCA to use for making MQI calls. The alternative user ID can be associated either with the client workstation, or with anything you choose to organize and control the access of clients. The user ID needs to have the necessary authorities allocated to it on the server to issue MQI calls.
The preferred approach is to define client identification tokens at the server, and so limit the capabilities of client connected applications. This is typically done by setting the server-connection channel property MCAUSER to a special user ID value to be used by clients, and defining a small number of IDs for use by clients with different level of authorization on the server.
If you do not specify a value for the MCAUSER attribute of the channel, and do not use a security exit, it is possible for a malicious application to connect via a server connection channel and gain access to the queue manager objects with unlimited authority. A good practice would be to have your default channels configured with MCAUSER('nobody').
If you specify a user name as the MCAUSER attribute of the server connection channel, all programs connecting to the queue manager using this channel run with the identity of the named user and have the same level of authority. It is NOT recommended to use 'mqm' as MCAUSER as that would allow anyone connecting with that channel to have full rights to administer the QMGR objects.
On WebSphere MQ for Windows, the user identifier may be domain-qualified by using the format, user@domain, where the domain must be either the Windows systems domain of the local system or a trusted domain.
If this attribute is blank, the MCA uses its default user identifier. This attribute is valid for channel types of: Receiver, Requester, Server connection, Cluster receiver
Refer to the WebSphere MQ information center for more information about client security access control.
By default, the WebSphere MQ client code will pass the logged-in user ID that calls it. However, the programming interface allows for the ID presented in a client connection request to be set from within the application. The UserID can be set by the environment or Javatm/JMS classes. This overrides the ID obtained from the system. Additional authentication may be necessary to authenticate the ID set from client.
To further tighten security and ensure the ID is trustworthy, you may wish to pursue implementing SSL authentication and/or security exits. Make sure you are using SSL or a security exit if the SVRCONN channel has a blank MCAUSER or an ID that has admin access.