Security requirements for the IBM MQ service provider
Security for the IBM® MQ service provider is in two parts.
- A user must be authorized to submit RESTful requests to IBM MQ service provider services that are exposed by IBM z/OS® Connect. Authorization is controlled by server.xml configuration file of IBM z/OS Connect. For more information, see How to configure the authorization levels.
- An IBM MQ service provider service must be authorized to access the queue manager and its resources.
The IBM MQ service provider is fundamentally a JMS (Java Message Service) application, based on the IBM MQ messaging provider that is supplied with IBM z/OS Connect. The IBM MQ service provider connects to one or more queue managers by using bindings or client mode connections.
As a result, the IBM MQ service provider can be secured in the same way as applications that share these traits.
The IBM MQ service provider connects to a queue manager and presents a user ID and optional password. These credentials are optionally validated by using connection authentication. For more information, see Connection authentication in the IBM MQ documentation.
Depending on the security configuration of the queue manager, and the validity of the user ID and password, the authenticated user can access the MQ queues or topics. For more information, see Setting up security on z/OS in the IBM MQ documentation.
Configuration attributes specified on the service and the properties.wmqJMS
subelement of the jmsConnectionFactory element in server.xml,
affect which user ID, and optional password, are presented to the queue manager. For more
information, see IBM MQ override
properties.
userName and password attributes override
properties.wmqJms attributes, and the useCallerPrincipal attribute
overrides all other attributes.The possible combinations of attribute values and the resulting behavior are show in Table 1.
| Service property | properties.wmqJms | Resulting behavior | ||
|---|---|---|---|---|
| useCallerPrincipal | userName and password | userName | userPassword | |
| Not set or false | Not set or blank | Not set or blank | Not set or blank | The user name that is associated with the IBM z/OS Connect address space is presented to the queue manager for authorization and authentication purposes. No password is presented. |
| Not set or false | Not set or blank | Set | Not set or blank | The user name in the properties.wmqJms element is presented to the queue
manager for authorization and authentication purposes. No password is presented. |
| Not set or false | Not set or blank | Set | Set | The user name and password in the properties.wmqJms element is presented to
the queue manager for authorization and authentication purposes. |
| Not set or false | Both values set | Ignored if set | Ignored if set | The user name and password in the service property subelement or
zosconnect_mqService element are presented to the queue manager for authorization
and authentication purposes. |
| True | Ignored if set | Ignored if set | Ignored if set | The user principal that is authenticated to IBM z/OS Connect is taken, and its user name is presented to the queue manager for authorization and authentication purposes. No password is presented. |
Both password attributes can be provided in plain text or encoded format. Use the encoded format because anyone with access to the server.xml can view the password in plain text. IBM z/OS Connect includes a tool called securityUtility, which can be used to encode passwords. For more information, see securityUtility command in the WebSphere® Application Server for z/OS Liberty documentation.
For more information about how to configure security for IBM z/OS Connect, see Securing IBM z/OS Connect resources.