Field details for MQCSP

The IBM® MQ connection security parameter structure is used by applications to flow authentication information on an MQCONNX call to the queue manager. You can also use it to provide the initial key that is used with the IBM MQ password protection system that encrypts sensitive data.

StrucId (MQCHAR4)

This is the structure identifier of the security parameters structure. It is always an input field. Its value is MQCSP_STRUC_ID.

The value must be:
MQCSP_STRUC_ID
Identifier for the security parameters structure.

For the C programming language, the constant MQCSP_STRUC_ID_ARRAY is also defined. This has the same value as MQCSP_STRUC_ID, but is an array of characters instead of a string.

Version (MQLONG)

MQCSP structure version number.

The value must be:
MQCSP_VERSION_1
Version-1 security parameters structure. At version 1 you can include a user ID and password in the MQCSP structure to authenticate with the queue manager.
MQCSP_VERSION_2
Version-2 security parameters structure. At version 2 you can include a user ID and password to authenticate with the queue manager and specify the initial key that is used to protect passwords.
[MQ 9.4.0 Jun 2024]MQCSP_VERSION_3
Version-3 security parameters structure. At version 3 you can include either a user ID and password or an authentication token in the MQCSP structure to authenticate with the queue manager. You can also specify the initial key that is used to protect passwords.
The following constant specifies the version number of the current version:
MQCSP_CURRENT_VERSION
Current version of security parameters structure.

This is always an input field. The initial value of this field is MQCSP_VERSION_3.

AuthenticationType (MQLONG)

AuthenticationType is an input field. Its initial value is MQCSP_AUTH_NONE.

This is the type of authentication to perform. Valid values are:
MQCSP_AUTH_NONE
Do not use the user ID and password or authentication token fields.
MQCSP_AUTH_USER_ID_AND_PWD
Authenticate using the user ID and password in the MQCSP structure.
[MQ 9.4.0 Jun 2024]MQCSP_AUTH_ID_TOKEN
Authenticate using the authentication token in the MQCSP structure.

The default value is MQCSP_AUTH_NONE. With the default setting, no password protection is done.

If you require authentication, you have to set MQCSP.AuthenticationType to MQCSP_AUTH_USER_ID_AND_PWD or MQCSP_AUTH_ID_TOKEN.

For more information, see
[IBM i]

Reserved1 (MQBYTE4)

A reserved field, required for pointer alignment on IBM i.

The initial value of this field is all null.

CSPUserIdPtr (MQPTR)

The address for the user ID to be used in authentication.

This is an input field. The initial value of this field is the null pointer in those programming languages that support pointers, and an all-null byte string otherwise. This field is ignored if Version is less than MQCNO_VERSION_5.

This field can contain an operating system user ID when an AUTHTYPE of IDPWOS is named in the CONNAUTH field of the queue manager.

On Windows this can be a fully qualified domain user ID.

This field can contain an LDAP User ID when an AUTHTYPE of IDPWLDAP is named in the CONNAUTH field of the queue manager.

CSPUserIdOffset (MQLONG)

The offset in bytes for the user ID to be used in authentication. The offset can be positive or negative.

This is an input field. The initial value of this field is 0.

CSPUserIdLength (MQLONG)

The length for the user ID to be used in authentication.

The maximum length of the user ID is dependent on the platform, see User IDs. If the length of the user ID is greater than the maximum length permitted, the authentication request fails with MQRC_CSP_ERROR. In earlier versions of IBM MQ, the error returned is MQRC_NOT_AUTHORIZED.

This field is an input field. The initial value of this field is 0.

[IBM i]

Reserved2 (MQBYTE8)

A reserved field, required for pointer alignment on IBM i.

The initial value of this field is all null.

CSPPasswordPtr (MQPTR)

The address for the password to be used in authentication.

This is an input field. The initial value of this field is the null pointer in those programming languages that support pointers, and an all-null byte string otherwise. This field is ignored if Version is less than MQCNO_VERSION_5.

This field can contain an empty password which is rejected by the operating system or LDAP password checking, depending on setup, but is not rejected by IBM MQ before it is passed to the authentication method.

CSPPasswordOffset (MQLONG)

This is the offset in bytes for the password to be used in authentication. The offset can be positive or negative.

This is an input field. The initial value of this field is 0.

CSPPasswordLength (MQLONG)

The length of the password to be used in authentication.

The maximum length of the password is MQ_CSP_PASSWORD_LENGTH, which is 256 characters. If the length of the password is greater than the maximum length permitted, the authentication request fails with MQRC_CSP_ERROR. In earlier versions of IBM MQ, the error returned is MQRC_NOT_AUTHORIZED.

This field is an input field. The initial value of this field is 0.

[IBM i]

Reserved3 (MQBYTE8)

A reserved field, required for pointer alignment on IBM i.

The initial value of this field is all null.

[UNIX, Linux, Windows, IBM i]

InitialKeyPtr (MQPTR)

The address for the initial key for the password protection system.

This is an input field. The initial value of this field is the null pointer in those programming languages that support pointers, and an all-null byte string otherwise. This field is ignored if Version is less than MQCSP_VERSION_2.

This field is relevant only for IBM MQ MQI clients that are running on Multiplatforms.

IBM MQMQI clients can supply encrypted values for some fields, using the IBM MQ password protection system. If you used an initial key to encrypt the password for the key repository specified in the MQSCO structure, ensure you include initial key fields in the MQCSP structure for the same client application.

An initial key is used by the encryption algorithm to encrypt and decrypt these values. If an initial key is supplied when the values of these fields are encrypted using the runmqicred utility, then the same initial key must be specified by the client when it connects to the queue manager.

The initial key specified using this field overrides any initial key that is specified using the MQS_MQI_KEYFILE environment variable, or the MQIInitialKeyFile property in the Security stanza of the client configuration file.

You can use either InitialKeyOffset or InitialKeyPtr to specify the initial key, but not both.

See also
[UNIX, Linux, Windows, IBM i]

InitialKeyOffset (MQLONG)

The offset in bytes for the initial key for the password protection system from the start of the MQCSP structure. The offset can be positive or negative.

You can use either InitialKeyOffset or InitialKeyPtr to specify the initial key, but not both. For more information, see the description of the InitialKeyPtr field.

This is an input field. The initial value of this field is 0. This field is ignored if Version is less than MQCSP_VERSION_2.

See also
[UNIX, Linux, Windows, IBM i]

InitialKeyLength (MQLONG)

The length of the initial key for the password protection system.

This is an input field. The initial value of this field is 0. This field is ignored if Version is less than MQCSP_VERSION_2.

[IBM i]

Reserved4 (MQBYTE8)

A reserved field, required for pointer alignment on IBM i.

The initial value of this field is all null.

[AIX][Linux]

TokenPtr (MQPTR)

The address of the authentication token that is used for authentication with the queue manager.

This is an input field. The initial value of this field is the null pointer in those programming languages that support pointers, and an all-null byte string otherwise. This field is ignored if Version is less than MQCSP_VERSION_3.

This field is relevant for IBM MQ MQI clients connecting to IBM MQ queue managers that run on AIX or Linux systems.

You can use either TokenOffset or TokenPtr to specify the authentication token, but not both.

See also
[AIX][Linux]

TokenOffset (MQLONG)

This is the offset in bytes for the authentication token from the start of the MQCSP structure. The offset can be positive or negative.

This is an input field. The initial value of this field is 0. This field is ignored if Version is less than MQCSP_VERSION_3.

You can use either TokenOffset or TokenPtr to specify the token, but not both. For more information, see the description of the TokenPtr field.

See also
[AIX][Linux]

TokenLength (MQLONG)

This is the length of the authentication token used for authentication with the queue manager.

The maximum length of the authentication token is MQ_CSP_TOKEN_LENGTH, which is 8192 bytes. If the TokenLength is greater than the maximum length permitted, the authentication request fails with MQRC_CSP_ERROR.

This is an input field. The initial value of this field is 0. This field is ignored if Version is less than MQCSP_VERSION_3.

See also