Connection authentication: Application changes

An application that uses the message queue interface (MQI) can provide a user ID and password in the connection security parameters (MQCSP) structure when MQCONNX is called. In other application programming interfaces, the MQCSP structure is typically constructed on behalf of the application by the IBM® MQ libraries.

[MQ 9.3.4 Oct 2023] From IBM MQ 9.3.4, client applications that connect to a queue manager that runs on AIX® or Linux® systems can also send an authentication token in the MQCSP structure as an alternative means of identification.

The user ID and password, or authentication token, are passed for checking to the object authority manager (OAM) supplied with the queue manager, or the authorization service component supplied with the queue manager on z/OS® systems. You do not have to write your own custom interface.

If the application is running as a client, the user ID and password, or authentication token, is also passed to the client-side and server-side security exits for processing. They can also be used to set the message channel agent user identifier (MCAUSER) attribute of a channel instance.

Warning: The credentials in an MQCSP structure for a client application are sometimes sent across the network in plain text. To ensure that client application credentials are protected, see MQCSP password protection.

By using the XAOPEN string to provide a user ID and password, you can avoid having to change the application code.

Note:

From IBM WebSphere® MQ 6.0, the security exit allows the MQCSP to be set. Therefore, clients at this level or later do not have to be upgraded.

However, in versions of IBM MQ prior to IBM MQ 8.0, MQCSP placed no restrictions on the user ID and password that were provided by the application. When using these values with features provided by IBM MQ there are limits which apply to the use of these features, but if you are only passing them to your own exits, those limits do not apply.