Setting up IBM MQ MQI client security
You must consider IBM® MQ MQI client security, so that the client applications do not have unrestricted access to resources on the server.
When running a client application, do not run the application using a user ID that has more
access rights than necessary; for example, a user in the mqm
group or even the
mqm
user itself.
By running an application as a user with too many access rights, you run the risk of the application accessing and changing parts of the queue manager, either by accident or maliciously.
- Authentication can be used to ensure that the client application, running as a specific user, is
who they say they are. By using authentication you can prevent an attacker from gaining access to
your queue manager by impersonating one of your applications.From IBM MQ 8.0, authentication is provided by one of two options:
- The connection authentication feature.
For more information on connection authentication, see Connection authentication.
- Using mutual authentication within SSL or TLS.
For more information on SSL or TLS, see Working with SSL or TLS.
- The connection authentication feature.
- Access control can be used to give or remove access rights for a specific user or group of
users. By running a client application with a specifically created user (or user in a specific
group) you can then use access controls to ensure the application cannot access parts of your queue
manager that the application is not supposed to.
When setting up access control you must consider channel authentication rules and the MCAUSER field on a channel. Both of these features have the ability to change which user id is being used for verifying access control rights.
For more information on access control, see Authorizing access to objects.
If you have set up a client application to connect to a specific channel with a restricted ID, but the channel has an administrator ID set in its MCAUSER field then, provided the client application connects successfully, the administrator ID is used for access control checks. Therefore, the client application will have full access rights to your queue manager.
For more information on the MCAUSER attribute, see Mapping a client asserted user ID to an MCAUSER user ID.
Channel authentication rules can also be used as a method for controlling access to a queue manager, by setting up specific rules and criteria for a connection to be accepted.
For more information on channel authentication rules see: Channel authentication records.