Bitesize Blogging: MQ V8 Connection Authentication on z/OS
Morag Hughson 110000EQPN Visits (3500)
Another in the series of bite size blog posts about features in MQ V8. Check out the whole series here.
One of the main security highlights of MQ V8 is a feature called Connection Authentication which allows applications to provide a user ID and password and have the queue manager validate it is correct before allowing the application to successfully connect. You can read more about this feature in a number of resources:-
This post is going to look at using Connection Authentication on the z/OS platform. On z/OS we can have our password validated by the External Security Manager (ESM) in use on the system. In my examples this is RACF and so my example error messages a will be RACF error messages. Similar messages will be see with other ESMs.
We'll start with the default object, SYST
ALTER QMGR CONN
As a result of issuing the REFRESH command, you will see these messages on the MSTR job log indicating the values that the queue manager is now operating with. You can ask to see this anytime by issuing the DISPLAY SECURITY command.
CSQH040I !CSQ1 Connection authentication ... CSQH041I !CSQ1 Client checks: OPTIONAL CSQH042I !CSQ1 Local bindings checks: OPTIONAL CSQ9022I !CSQ1 CSQHSREF ' REFRESH SECURITY' NORMAL COMPLETION
If we now connect an application with an incorrect password, the following message is written by RACF into the MSTR job log.
ICH408I USER(HUGHSON ) GROUP(TSOUSER ) NAME(HUGHSON, M A (MORAG)) LOGON/JOB INITIATION - INVALID PASSWORD IRR013I VERIFICATION FAILED. INVALID PASSWORD GIVEN.
If we connect an application with an unknown user ID, the following message is written by RACF into the MSTR job log.
ICH408I USER(RUBBISH ) GROUP( ) NAME(??? ) LOGON/JOB INITIATION - USER AT TERMINAL NOT RACF-DEFINED IRR012I VERIFICATION FAILED. USER PROFILE NOT FOUND.
If we connect an application with a user ID and password that is correct, but has expired, we'll see the following MQ message written in the MSTR job log (see later for an explanation of the inserts - they are the same as the next message we describe).
CSQH046E !CSQ1 CSQHNSIG SYST
Now we're going to change our settings to mandate passwords to be sent for our local applications:-
If we now connect a locally bound application without a password, we will see the following message written to the MSTR job log. This message shows the user ID that ran the application, in this case HUGHSON, and the name of the job, in this case it is my batch job PUTMSG.
CSQH045E !CSQ1 CSQHNSIG HUGHSON/PUTMSG did not provide a password
Now we're going to switch our settings to mandate passwords to be sent for our client applications:-
If we now connect a client application without a password, we will see the same message written to the MSTR job log, but with different inserts. This version of the messages shows the channel name and the IP address it came from.
CSQH045E !CSQ1 CSQHNSIG SYST
So, remember to check the MSTR job log when you start making use of Connection Authentication on z/OS, as it should provide you with all the information you need to work out why the application was given a 2035