Interaction of CHLAUTH and CONNAUTH
How channel authentication records (CHLAUTH) and connection authentication (CONNAUTH) interact in IBM® MQ, in the case of a single conversation on a channel.
Different types of bindings
IBM MQ supports two methods for an application to connect:
- Local bindings
- Applies when the application and queue manager are on the same operating image. CHLAUTH is not relevant to this type of application connection.
- Client bindings
- Applies when the application and queue manager use the network to communicate. The application and queue manager can be running on the same machine, or they can be on different machines. In IBM MQ, a client connection is handled in the form of a server-connection (SVRCONN) channel and, in this situation, both CONNAUTH and CHLAUTH are applicable.
Binding steps of the receiving end of a channel
When an application connects to a queue manager, a substantial amount of checking is performed to ensure that both ends of the channel understand what is supported by the other end. The receiving end of the channel does some extra checking, involving CHLAUTH and CONNAUTH, to ensure that the client is allowed to connect, and this process might also include a security exit as this can affect the result. This channel connecting phase is also referred to as the binding phase.
The following diagram lists the steps that a SVRCONN channel goes through when the server end (at
the queue manager) starts:
- Step 1: Receive a connection request
- The channel initiator or listener receives a connection request from somewhere on the network.
- Step 2: Is the address allowed to connect?
- Before any data is read, IBM MQ checks the IP address of the partner against the CHLAUTH rules, to see if the address is in the BLOCKADDR rule. If the address is not found, and so not blocked, the flow proceeds to the next step.
- Step 3: Read data from the channel
- IBM MQ now reads the data into a buffer, and starts to process the sent information.
- Step 4: Look up the channel definition
- In the first data flow, IBM MQ sends, among other things, the name of the channel that the sending end is trying to start. The receiving queue manager can then look up the channel definition, which has all the settings that are specified for the channel.
- Step 5: Call security exit (if defined)
- If the channel has a security exit (SCYEXIT) defined, this is called with the exit reason (MQCXP.ExitReason) set to MQXR_INIT_SEC.
- Step 6: Receive MQCSP
- If necessary, construct one if the client supplied authentication credentials.
- Step 7: Adopt MQCSP user (if ChlauthEarlyAdopt is Y and ADOPTCTX=YES)
- The credentials that are supplied by the client are authenticated.
- Step 8: CHLAUTH mapping
- The CHLAUTH cache is inspected again to look for the mapping rules SSLPEERMAP, USERMAP, QMGRMAP, and ADDRESSMAP.
- Step 9: Call security exit (if defined)
- If the channel has a security exit (SCYEXIT) defined, this is called with the exit reason (MQCXP.ExitReason) set to MQXR_SEC_PARMS.
- Step 10: Authenticate the user
- The authentication phase happens if CONNAUTH is enabled on the queue manager.
- Step 11: Adopt the context of the MQCSP user (If ChlauthEarlyAdopt=N and ADOPTCTX=YES)
- You can set the ADOPTCTX attribute, which controls whether the channel runs under MCAUSER, or the user ID the application has supplied.
- Step 12: Check the user is not blocked (BLOCKUSER)
- If the CONNAUTH checking is successful, the CHLAUTH cache is then inspected again to check if the active MCAUSER is blocked by a BLOCKUSER rule. If the user is blocked, the channel ends.
- Step 13: Validate CHLAUTH CHCKCLNT requirements
- If the CHLAUTH rule that was selected in step 8 additionally
specifies a CHCKCLNT value of REQUIRED or REQDADM then validation is done to ensure that a valid
CONNAUTH userid was provided to meet the requirement.
- If CHCKCLNT(REQUIRED) is set a user must have been authenticated in step 7 or 10. Otherwise the connection is rejected.
- If CHCKCLNT(REQDADM) is set a user must have been authenticated in step 7 or 10 if this connection is determined to be privileged. Otherwise the connection is rejected.
- If CHCKCLNT(ASQMGR) is set then this step is skipped.
Notes:- If CHCKCLNT(REQUIRED) or CHCKCLNT(REQDADM) is set, but CONNAUTH is not enabled on the queue manager, the connection fails with a MQRC_SECURITY_ERROR (2063) return code due to the conflict in configuration.
- The user is not re-authenticated in this step.
- Step 14: Validate CONNAUTH CHCKCLNT requirements.
- The authentication phase happens if CONNAUTH is enabled on the queue manager.
- Step 15: Check object authorization
- A check is made to ensure that the active MCAUSER has the appropriate authority to connect to the queue manager.
- Step 16: The connection completes
- If the preceding steps complete successfully, the connection completes.