Identifying and authenticating users

You can identify and authenticate users by using X.509 certificates, the MQCSP structure, or in several types of user exit program.

Using X.509 certificates

You can identify and authenticate users by using X.509 certificates with the SET CHLAUTH command and SSLPEER parameter. The SSLPEER parameter specifies a filter to use to compare with the Subject Distinguished Name of the certificate from the peer queue manager or client at the other end of the channel.

For more information about using the SET CHLAUTH command and SSLPEER parameter, see SET CHLAUTH.

Digital certificates can be revoked by Certificate Authorities. You can check the revocation status of certificates using OCSP, or CRLs on LDAP servers, depending on platform. For more information, see Working with revoked certificates.

Using the MQCSP structure

The MQCSP connection security parameters structure is specified on an MQCONNX call. This structure can contain credentials that are supplied by the application. The application can supply a user ID and password in the MQCSP structure. From IBM® MQ 9.3.4, applications can also supply an authentication token. If necessary, the MQCSP can be altered in a security exit.
Warning: The credentials in an MQCSP structure are sometimes sent across the network in plain text. To ensure that client application credentials are protected, see MQCSP password protection.
For more information, see Identifying and authenticating users using the MQCSP structure and Working with authentication tokens.

[AIX][Linux]On AIX and Linux, the user ID and password that is specified in the MQCSP structure can be authenticated by using either the operating system or Pluggable Authentication Method (PAM). PAM provides a general mechanism for user authentication that hides the details from services. For more information, see Using the Pluggable Authentication Method (PAM).

Implementing identification and authentication in exits

You can identify and authenticate users by using several types of user exit program. For more information, see Implementing identification and authentication in security exits, Identity mapping in message exits, and Identity mapping in the API exit and API-crossing exit.