Using authentication tokens in an application
Write your application to supply an authentication token when it connects to an IBM® MQ queue manager.
Before you begin
From IBM MQ 9.3.4, applications can supply an authentication token when they connect to a queue manager.
- It must be written in C or Java (using the IBM MQ classes for JMS/ Jakarta Messaging)
- It must connect to the queue manager as an IBM MQ client. That is, the application must connect to the queue manager over a network, instead of using local bindings.
- It must connect to a queue manager that runs on AIX® or Linux®.
The application that supplies the authentication token can run on any platform that supports IBM MQ MQI clients.
Clients that use automatic client reconnection cannot supply an authentication token when they connect. If an application supplies an authentication token, and specifies the MQCNO_RECONNECT or MQCNO_RECONNECT_Q_MGR option in the MQCNO structure, the connection fails and reason code MQRC_RECONNECT_INCOMPATIBLE (2547) is returned to the application. For more information about automatic client reconnection, see Automatic client reconnection.
If you cannot write the application to supply an authentication token due to these requirements, you can alternatively migrate your application to use authentication tokens by using a client security exit. The client security exit can be written to set the authentication token in the MQCSP structure. For more information about security exits, see Security exits on a client connection.
From IBM MQ 9.3.5, JMS client applications can directly provide a token when connecting (see Obtaining an authentication token from your chosen token issuer). In IBM MQ 9.3.4, Java applications can indirectly provide a token by way of an exit program. For more information, see Java class MQCSP.
About this task
- The queue manager has been configured to accept authentication tokens by following the steps in Configuring a queue manager to accept authentication tokens
- Your application can obtain a valid token as required from your authentication server, see Obtaining an authentication token from your chosen token issuer.
To supply an authentication token when the application connects to an IBM MQ queue manager, include the following process.