Bitesize Blogging: MQ V8 - mqccred exit
Graham_Richards 270004KNPE Visits (1968)
Another in the series of bitesize blog posts about features in MQ V8. Check out the whole series here.
If you want to make use of the new User ID and Password Authentication feature in MQ V8 and not all of your client applications send a user ID or password there is a new security exit shipped with MQ V8 called mqccred that you can use. mqccred provides a user ID and password to a client application that is then sent to MQ and, if configured, authenticated.
Everything you need can be found in <<installation dire
Setting up the user IDs and passwords
The mqccred.ini file contains your user ID and password information. By default it is expected that this file is located in $HOM
You can provide a user ID and password for all queue managers or for each individual queue manger. This is an example of an mqccred.ini file:
AllQueueManagers: User=user1 Password=passw0rd QueueManager: Name=QMA User=user2 Password=passw0rd2
The individual queue manager definitions take precedence over the global setting. For a queue manager you can also override a user ID and password that is explicitly supplied by an application by using the Force=TRUE attribute. The default for all queue managers is FALSE.
QueueManager: Name=QMB User=user3 Password=passw0rd3 Force=TRUE
Protecting the mqccred.ini file
Since this file contains password information it should be protected. First you should restrict user access by removing all unnecessary permissions. Next, you can use the runmqccred program to obfuscate the passwords. This will remove the plaintext password attributes and replace them with the OPW attribute.
QueueManager: Name=QMA User=user2 OPW=
If the file permissions are not secure enough runmqccred will produce this message:
Configuration file 'C:\
You can bypass this issue with the -p flag but the exit will fail to run when put into production if you have not resolved this issue. When runmqccred runs successfully it will inform you how many passwords have been obfuscated.
If you add new passwords or update old ones the tool will only process any plain text passwords leaving your obfuscated ones untouched.
Putting it into practice
Once you have this file all set up you can invoke the channel exit by updating your CLNTCONN channel definition to have the SCYE
This can also be used on all client applications from before MQ V8.