Identification and authentication

Identification is the ability to identify uniquely a user of a system or an application that is running in the system. Authentication is the ability to prove that a user or application is genuinely who that person or what that application claims to be.

For example, consider a user who logs on to a system by entering a user ID and password. The system uses the user ID to identify the user. The system authenticates the user at the time of logon by checking that the supplied password is correct.

Identification and authentication in IBM MQ

When an application connects to IBM® MQ, a user identity is always associated with the connection. The user identity is initially the Operating System user ID that is associated with the application process. This identity is often sufficient for locally bound applications that are hosted on the same system as the queue manager. However, the queue manager can also authenticate and modify the identity that is associated with the connection in several ways. Authenticating the identity that is associated with a connection is important when client applications that cannot necessarily be trusted connect to a queue manager over a network.

The identity that is associated with an application connection to an IBM MQ queue manager can be established by using any of the following mechanisms:
  • When an application connects to a queue manager, it can provide a user ID and password. The queue manager validates the credentials based on its configuration. For example, the user ID and password can be passed to the queue manager's Operating System, or and LDAP server, to be authenticated.
  • [MQ 9.3.4 Oct 2023]From IBM MQ 9.3.4, an application can also supply an authentication token that it obtains from an external authentication server. For more information about authentication tokens, see Working with authentication tokens.
  • A client channel can be configured to use TLS mutual authentication, if it is configured with a valid digital certificate. TLS authentication can be combined with a channel authentication (CHLAUTH) rule to associate an appropriate user ID with the connection. For more information, see How TLS provides identification, authentication, confidentiality, and integrity,
  • Channel authentication (CHLAUTH) rules can override the identity based on information about the connection. For example, a channel authentication rule can set the user ID associated with a connection based on the IP address of the client.
  • Custom exit code can set an identity based on any criteria that you choose.

Identity and authentication are also applicable to channels between two queue managers. These channels are known as message channels. When a message channel starts, the message channel agent (MCA) at each end of the channel can authenticate its partner. This technique is known as mutual authentication. For the sending MCA, it provides assurance that the partner it is about to send messages to is genuine. Similarly, the receiving MCA is assured that it is about to receive messages from a genuine partner.

When an identity has been established, and authenticated if required, it is used by IBM MQ in several ways:

  • Importantly, by default, any subsequent Authorization checks are made using this identity. For example, if an application attempts to put a message on a queue, the queue manager confirms that the identity that is associated with the application has 'put' authorization on the queue object.
  • In addition, every message can contain message context information. This information is held in the message descriptor (MQMD). The queue manager can automatically generate the message context when an application puts the message to a queue. Alternatively, the application can supply the message context if the user ID associated with the application is authorized to do so. This context information in a message gives the application that receives the message information about the originator of the message. It contains, for example, the name of the application that put the message and the user ID associated with the application.