Identifying and authenticating users using the MQCSP structure
You can specify the MQCSP connection security parameters structure on an MQCONNX call.
The MQCSP connection security parameters structure contains a user ID and password, which the authorization service can use to identify and authenticate the user.
You can alter the MQCSP in a security exit.
Relationship between MQCSP and AdoptCTX settings
IBM MQ always authenticates credentials passed through the MQCSP structure unless the connection authentication feature is not enabled. Once the credentials have been authenticated successfully, IBM MQ attempts to adopt the userid for future authorization checks unless ADOPTCTX is not enabled.
- When using LDAP connection authentication, IBM MQ
retrieves the value of the field set in SHORTUSR from the user's LDAP record of that user, and
adopts that user Id.
For example, if SHORTUSR is set to
'CN'
and a LDAP record lists a user as'CN=Test,SN=MQ,O=IBM,C=UK'
, the user IdTest
is used. - When using OS connection authentication or PAM authentication, if ADOPTCTX is YES, the user Id
passed through the MQCSP structure is truncated in order to meet the 12 character user Id limit of
IBM MQ when adopted as the connection context.
If ChlAuthEarlyAdopt is enabled, the truncation happens after the user credentials have been authenticated.
If ChlAuthEarlyAdopt is not enabled, the truncation happens before adoption. On Windows, if the user is supplied in the format
user@domain
, this means that the truncation can result in a domain specification that is not valid when the user is less than 12 characters.For example if a user`ibmmq@windowsdomain`
is provided through the MQCSP, it is truncated to`ibmmq@window`
in this scenario. This results in the following error:AMQ8074W: Authorization failed as the SID 'SID' does not match the entity 'ibmmq@window'
On this basis, if you pass a user ID longer than 12 characters, such as a Windows domain user ID in the form
user@domain
, through the MQCSP you should configure ChlAuthEarlyAdopt=Y in the qm.ini file to avoid this error.Alternatively, use ADOPTCTX(NO) on the CONNAUTH AUTHINFO configuration, and use an alternate approach such as a CHLAUTH USERMAP rule, a security exit, or the channel object MCAUSER setting to set the user Id for the channel.