Connection authentication: Application changes

An application can provide a user ID and password within the connection security parameters (MQCSP) structure when MQCONNX is called. The user ID and password are passed for checking to the object authority manager (OAM) supplied with the queue manager, or the authorization service component supplied with the queue manager on z/OS® systems. You do not have to write your own custom interface.

If the application is running as a client, the user ID and password are also passed to the client-side and server-side security exits for processing. They can also be used for setting the message channel agent user identifier (MCAUSER) attribute of a channel instance. The security exit is called with exit reason MQXR_SEC_PARMS for this processing. Client-side security exits and the pre-connect exit, can make changes to MQCONN before it is sent to the queue manager.

Warning: In some cases, the password in an MQCSP structure for a client application will be sent across a network in plain text. To ensure that client application passwords are protected appropriately, see MQCSP password protection.

By using the XAOPEN string to provide a user ID and password, you can avoid having to make changes to the application code.


From IBM WebSphere® MQ 6.0, the security exit has allowed the MQCSP to be set. Therefore, clients at this level or later do not have to be upgraded.

However, in versions of IBM MQ prior to IBM MQ 8.0, MQCSP placed no restrictions on the user ID and password that were provided by the application. When using these values with features provided by IBM MQ there are limits which apply to the use of these features, but if you are only passing them to your own exits, those limits do not apply.