Connection authentication: Configuration
A queue manager can be configured to authenticate credentials that are supplied by an application when it connects.
Turning on connection authentication on a queue manager
- IDPWOS
- The queue manager uses the local operating system to authenticate the user ID and password that is supplied by a connecting application.
- IDPWLDAP
- The queue manager uses an LDAP server to authenticate the user ID and password that is supplied by a connecting application.
AUTHINFO objects of type IDPWOS and IDPWLDAP are similar in several of their attributes. The attributes described here are common to both types of objects.
- Define an AUTHINFO object named
USE.PW
. - Alter the queue manager CONNAUTH attribute to refer to this AUTHINFO object.
- Issue the REFRESH SECURITY command to refresh the queue manager's connection authentication configuration. The REFRESH SECURITY command must be issued before the queue manager recognizes any changes to the connection authentication configuration.
DEFINE AUTHINFO(USE.PW) +
AUTHTYPE(IDPWOS) +
FAILDLAY(10) +
CHCKLOCL(OPTIONAL) +
CHCKCLNT(REQUIRED)
ALTER QMGR CONNAUTH(USE.PW)
REFRESH SECURITY TYPE(CONNAUTH)
To control whether credentials are checked for connections that are made by locally bound applications, use the AUTHINFO attribute CHCKLOCL (check local connections). To control whether credentials are checked for connections that are made by client applications, use the AUTHINFO attribute CHCKCLNT (check client connections).
- NONE
- Authentication credentials that are supplied by applications are not checked.
- OPTIONAL
- Ensures that any credentials that are provided by an application are valid. However, it is not mandatory for applications to provide authentication credentials. This option might be useful during migration, for example.
- REQUIRED
- Requires that all applications provide valid credentials. See also the following note.
- REQDADM
- Privileged users must supply valid credentials, but non-privileged users are treated as with the OPTIONAL setting. See also the following note. (This setting is not allowed on z/OS systems.)
Setting CHCKLOCL to REQUIRED or REQDADM means that you cannot locally administer the queue manager by using runmqsc (error AMQ8135: Not authorized) unless the user specifies the -u parameter to specify the user ID in the runmqsc command. With that parameter set, runmqsc prompts for the user's password at the console.
Similarly, a user that runs IBM MQ Explorer on the local system will see error AMQ4036 when attempting to connect to the queue manager. To specify a user ID and password, right-click the local queue manager object and select from the menu. In the Userid section, enter the user ID and password to be used, then click OK.
Similar considerations apply to remote connections with CHCKCLNT.
The queue manager CONNAUTH attribute is blank for queue managers that are migrated from versions earlier than IBM MQ 8.0, but is set to SYSTEM.DEFAULT.AUTHINFO.IDPWOS for newly created queue managers. This default AUTHINFO definition has CHCKCLNT set to REQDADM by default.
Therefore, any existing clients that use a privileged user ID to connect must provide valid credentials.
Configuration granularity
The AUTHINFO object's CHCKLOCL and CHCKCLNT attributes set authentication requirements for all connections to the queue manager. In addition to these attributes, the CHCKCLNT attribute on channel authentication (CHLAUTH) rules allow more stringent authentication requirements to be set for specific client connections that match the CHLAUTH rule.
DEFINE AUTHINFO(USE.PW) AUTHTYPE(xxxxxx) +
CHCKCLNT(OPTIONAL)
SET CHLAUTH('*') TYPE(ADDRESSMAP) +
ADDRESS('*') USERSRC(CHANNEL) +
CHCKCLNT(REQUIRED)
SET CHLAUTH('*') TYPE(SSLPEERMAP) +
SSLPEER('CN=*') USERSRC(CHANNEL)
For more information about CHLAUTH rules, see Channel authentication records.Error notification
- An application does not supply authentication credentials when they are required.
- An application supplies invalid authentication credentials. This situation is treated as an error even if the configuration states that it is optional for applications to supply credentials.
Failed authentications are held for the number of seconds specified by the FAILDLAY attribute before the error is returned to the application. This delay provides some protection from an application repeatedly trying to connect.
- Application
- An MQRC_NOT_AUTHORIZED (2035) reason code is returned to the application.
- Administrator
- An IBM MQ administrator sees the event reported in the error log. The error message shows that the connection is rejected because the credentials are invalid, rather than because, for example, the user does not have connection authority.
- Monitoring tool
- A monitoring tool can also be notified of the failure, if you turn on authority events, by an
event message on the
SYSTEM.ADMIN.QMGR.EVENT
queue. To turn on authority events, issue the following MQSC command:
This "Not Authorized" event is a Type 1 connect event, and provides the same fields as other Type 1 events, with an extra field, the MQCSP user ID that was provided. If the application supplied a password, it is not included in the event message. This means that there are two user IDs in the event message:ALTER QMGR AUTHOREV(ENABLED)
- The user ID that the application is running under.
- The user ID in the credentials that the application presented.
Adopting users for authorization
USE.PWD
that is
used for connection authentication, and set the ADOPTCTX attribute to
YES: DEFINE AUTHINFO(USE.PWD) +
AUTHTYPE(xxxxxx) +
CHCKLOCL(OPTIONAL) +
CHCKCLNT(REQUIRED) +
ADOPTCTX(YES)
ALTER QMGR CONNAUTH(USE.PWD)
- ADOPTCTX(YES)
- The credentials that are supplied by the application are adopted as the application context for
the duration of the connection. All authorization checks for an application are made with the user
ID in the credentials that were authenticated.Attention: When using ADOPTCTX(YES) and local operating system user IDs, you must ensure that the user ID being adopted meets the requirements for user IDs in IBM MQ. For more information, see User IDs.
- ADOPTCTX(NO)
- Credentials that are supplied by an application are used only for authentication at connection time. The user ID that the application is running under continues to be used for future authorization checks. You might find this option useful when migrating, or if you plan to use other mechanisms, such as channel authentication records, to assign the message channel agent user identifier (MCAUSER).
Interaction with Channel Authentication
Channel authentication rules can be used to change the user ID that is used as the context for an application connection, based on the user ID received from the client. For an example of using a channel authentication rule to change the user ID associated with a connection, see Mapping a client user ID to an MCAUSER user ID.
The order in which connection authentication and channel authentication rules are processed is a significant factor in determining the security context for IBM MQ client application connections. The ChlauthEarlyAdopt parameter in the channels stanza of the qm.ini file controls the order in which the queue manager adopts the context from credentials that are supplied by the application, and applies channel authentication rules. For more information about ChlauthEarlyAdopt, see Attributes of the channels stanza.
For more information about the interaction of connection authentication and channel authentication, and the order in which checks take place when a client application connects to a queue manager, see Interaction of CHLAUTH and CONNAUTH.