Another in the series of bite size blog posts about features in MQ V8. Check out the whole series here.
MQ v8 includes new functionality to allow users to authenticate with Queue Managers using OS or LDAP credentials. While any calls to the OAM will be secure, given that MQ runs on the OS that it is authenticating with, calls to the supplied LDAP server may not be secured. If a customer wants to a ensure that any calls to and from a LDAP server are secured via encryption they can use the SECCOMM field on the IDPWLDAP AUTHINFO object. This bite size blog will look at how to use the SECCOMM field and how to set up a Queue Manager to use it correctly.
Note: In this blog we assume that you understand how to set up a Queue Manager to use LDAP Authentication, if you do not know how to do this then read this Bite Size blog on how to set up a Queue Manager for LDAP Authentication.
The SECCOMM field has the following values:
- NO - This means that you do not want to use Secure communications with the LDAP server.
- ANON - This means that MQ will be connecting to the LDAP server anonymously.
- YES - This means that MQ will be connecting to the LDAP server using mutual authentication.
To adjust the SECCOMM value then use the following command:
> ALTER AUTHINFO(<AUTHINFO name>) AUTHTYPE(IDPWLDAP) SECCOMM(YES)
In order to use SECCOMM you must supply your queue manager with certain SSL/TLS certificates, however which certificates you need depend on what setting you have SECCOMM set to. For the default "NO" you do not need to supply your queue manager with any SSL/TLS certificates.
For SECCOMM(ANON) you need to supply your queue manager with the public SSL/TLS certificate that the LDAP server is using or the CA certificate that signed it, in addition if the port the LDAP server uses for secure connections is different that the default you need to supply this in the AUTHINFO CONNAME field.
For SECCOMM(YES) you need to supply your queue manager with the same as for SECCOMM(ANON) but in addition you must also set up SSL/TLS on your queue manager and give the queue manager's public SSL/TLS certificate or the CA certificate that signed it to the LDAP server
For more information on LDAP Authentication and SECCOMM see here. Content starts on slide 53.
Example of how to set up a Queue Manager to use SECCOMM
In this example we will look at how to set up a queue manager to use SECCOMM with LDAP authentication. We assume that MQ has been successfully installed on the machine and the LDAP server has also been successfully configured to accept secure connections on the default port. Finally we assume that I am running all commands as a user who is an administrator and in the mqm group.
1) Before we start setting up the AUTH INFO we first need to get the SSL/TLS certificates ready. I create a SSL/TLS key ring and a certificate that my queue manager can use. I add this certificate and the public key of the LDAP server or the CA certificate that signed it to the key ring I created and add the public key of the certificate I created or the CA certificate that signed it to the LDAP key ring.
2) With the key ring and LDAP set up with the necessary certificates I now tell my queue manager to use the key ring by executing the following MQSC command:
> ALTER QMGR SSLKEYR('C:\path\to\keyring\key')
3) I now refresh the SSL security by executing the following MQSC command:
> REFRESH SECURITY TYPE(SSL)
4) Now I need to define my AUTHINFO object which includes the SECCOMM definition, to do this I execute the following MQSC command:
> DEFINE AUTHINFO('USE.SECURE.LDAP') AUTHTYPE(IDPWLDAP) CONNAME('ldapserver.co.uk') CHCKCLNT(OPTIONAL) CHCKLOCL(OPTIONAL) CLASSUSR('account') BASEDNU('ou=MQ,o=IBM,co=UK') SHORTUSR('uid') USRFIELD('uid') SECCOMM(YES)
5) Next I tell MQ to use my newly created AUTHINFO object by executing the following MQSC command:
> ALTER QMGR CONNAUTH('USE.SECURE.LDAP')
6) Next I refresh my Queue Manager security in order to bring the new AUTHINFO object into effect.
> REFRESH SECURITY TYPE(CONNAUTH)
7) Now I check that my queue manager has been able to connect to the LDAP server by executing the following in MQSC and verifying the output:
> DIS QMSTATUS ALL QMNAME(EXAMPLE) STATUS(RUNNING) CONNS(23) CMDSERV(RUNNING) CHINIT(RUNNING) INSTNAME(Installation1) INSTPATH(C:\MQ) INSTDESC( ) LDAPCONN(CONNECTED) STANDBY(NOPERMIT) STARTDA(2014-06-16) STARTTI(09.22.12)
8) I then test that I can connect to the queue manager using a sample program and providing valid credentials and that i am blocked when I provide invalid credentials:
> amqscnxc -u Robert QMGR Password: ******* Connection established to queue manager QMGR > amqscnxc -u Robert QMGR Password: * MQCONNX failed with reason code 2035
As the sample program successfully completed I can verify that my queue manager has been set up to use LDAP authentication with secure communications between MQ and my LDAP server