One of the main security highlights of MQ V8 is a feature called Connection Authentication which allows applications to provide a user ID and password and have the queue manager validate it is correct before allowing the application to successfully connect. You can read more about this feature in a number of resources:-
This post is going to look at using Connection Authentication on the z/OS platform. On z/OS we can have our password validated by the External Security Manager (ESM) in use on the system. In my examples this is RACF and so my example error messages a will be RACF error messages. Similar messages will be see with other ESMs.
We'll start with the default object, SYSTEM.DEFAULT.AUTHINFO.IDPWOS, and ensure the queue manager is referring to it. This object comes with both CHCKCLNT and CHCKLOCL set to OPTIONAL. This means if we provide a password, it must be the correct one, but we're not mandated to do so.
ALTER QMGR CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) REFRESH SECURITY TYPE(CONNAUTH)
As a result of issuing the REFRESH command, you will see these messages on the MSTR job log indicating the values that the queue manager is now operating with. You can ask to see this anytime by issuing the DISPLAY SECURITY command.
CSQH040I !CSQ1 Connection authentication ... CSQH041I !CSQ1 Client checks: OPTIONAL CSQH042I !CSQ1 Local bindings checks: OPTIONAL CSQ9022I !CSQ1 CSQHSREF ' REFRESH SECURITY' NORMAL COMPLETION
If we now connect an application with an incorrect password, the following message is written by RACF into the MSTR job log.
ICH408I USER(HUGHSON ) GROUP(TSOUSER ) NAME(HUGHSON, M A (MORAG)) LOGON/JOB INITIATION - INVALID PASSWORD IRR013I VERIFICATION FAILED. INVALID PASSWORD GIVEN.
If we connect an application with an unknown user ID, the following message is written by RACF into the MSTR job log.
ICH408I USER(RUBBISH ) GROUP( ) NAME(??? ) LOGON/JOB INITIATION - USER AT TERMINAL NOT RACF-DEFINED IRR012I VERIFICATION FAILED. USER PROFILE NOT FOUND.
If we connect an application with a user ID and password that is correct, but has expired, we'll see the following MQ message written in the MSTR job log (see later for an explanation of the inserts - they are the same as the next message we describe).
CSQH046E !CSQ1 CSQHNSIG SYSTEM.DEF.SVRCONN/22.214.171.124 supplied a password for userid HUGHSON that has expired
Now we're going to change our settings to mandate passwords to be sent for our local applications:-
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) + CHCKLOCL(REQUIRED) CHCKCLNT(OPTIONAL) REFRESH SECURITY TYPE(CONNAUTH)
If we now connect a locally bound application without a password, we will see the following message written to the MSTR job log. This message shows the user ID that ran the application, in this case HUGHSON, and the name of the job, in this case it is my batch job PUTMSG.
CSQH045E !CSQ1 CSQHNSIG HUGHSON/PUTMSG did not provide a password
Now we're going to switch our settings to mandate passwords to be sent for our client applications:-
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) + CHCKLOCL(OPTIONAL) CHCKCLNT(REQUIRED) REFRESH SECURITY TYPE(CONNAUTH)
If we now connect a client application without a password, we will see the same message written to the MSTR job log, but with different inserts. This version of the messages shows the channel name and the IP address it came from.
CSQH045E !CSQ1 CSQHNSIG SYSTEM.DEF.SVRCONN/126.96.36.199 did not provide a password
So, remember to check the MSTR job log when you start making use of Connection Authentication on z/OS, as it should provide you with all the information you need to work out why the application was given a 2035 (MQRC_NOT_AUTHORIZED) return code.