Connection authentication with the Java client
Connection authentication is a feature in IBM® MQ that allows the queue manager to be configured to authenticate applications, using a provided user ID and password. When the application is a Java application that is using client bindings, connection authentication can be run in compatibility mode or MQCSP authentication mode.
Before IBM MQ 8.0, the Java client could send a user ID and password across the client-connection channel to the server-connection channel, and have them provided to a security exit in the RemoteUserIdentifier and RemotePassword fields of the MQCD structure. In compatibility mode, this behavior is retained.
You might use this mode in combination with connection authentication, and migrate away from any security exits that were previously used to do the same job.
You must use ADOPTCTX(YES) or have another method, for example a CHLAUTH rule based on a TLS certificate, to set the running MCAUSER when you are using compatibility mode, as in this mode, the client-side user ID is not sent to the queue manager.
- In IBM MQ classes for Java, set the property MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY to false in the properties hashtable that is passed to the com.ibm.mq.MQQueueManager constructor.
- In IBM MQ classes for JMS, set the property JmsConstants.USER_AUTHENTICATION_MQCSP to false, on the appropriate connection factory before creating the connection.
- Globally, specify the Java system property
-Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=false on the command line when
starting your application, as shown in the following example:
java -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=false application_name
MQCSP authentication mode
In this mode, the client-side user ID is sent as well as the user ID and password to be authenticated, so you are able to use ADOPTCTX(NO). The user ID and password are available to a server-connection security exit in the MQCSP structure that is provided in the MQCXP structure.
- In IBM MQ classes for Java, set the property MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY to true in the properties hashtable that is passed to the com.ibm.mq.MQQueueManager constructor.
- In IBM MQ classes for JMS, set the property JmsConstants.USER_AUTHENTICATION_MQCSP to true, on the appropriate connection factory before creating the connection.
- Globally, set the system property com.ibm.mq.cfg.jmqi.useMQCSPauthentication
to a value indicating true, for example, by adding
-Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=Yto the command line.
Choosing authentication mode in IBM MQ Explorer
The IBM MQ Explorer is a Java application, so these two modes, compatibility mode and MQCSP authentication mode, are applicable to it as well.
From IBM MQ 9.0.4, MQCSP authentication mode is the default. Before IBM MQ 9.0.4, compatibility mode is the default.
- From IBM MQ 9.0.4, by default, this check box is not selected. To use compatibility mode, select this check box.
- Before IBM MQ 9.0.4, by default, this check box is enabled. To use MQCSP authentication, clear the check box.