MQCSP password protection

From IBM® MQ 8.0, you can send passwords that are included in the MQCSP structure either protected, by using IBM MQ functionality, or encrypted, by using TLS encryption.

Important: MQCSP password protection is useful for test and development purposes as using MQCSP password protection is simpler than setting up TLS encryption, but not as secure. For production purposes, you should use TLS encryption in preference to IBM MQ password protection, especially when the network between the client and queue manager is untrusted, as TLS encryption is more secure.

If you are concerned precisely what encryption is being used, and how much protection it offers, you need to use full TLS encryption. In this situation, the algorithms are publicly known, and you can select the appropriate one for your enterprise by using the SSLCIPH channel attribute.

For more information about the MQCSP structure, see MQCSP structure.

Password protection is used when all of the following conditions are met:
  • Both ends of the connection are using IBM MQ 8.0, or later.
  • The channel is not using TLS encryption. A channel is not using TLS encryption if the channel has a blank SSLCIPH attribute, or the SSLCIPH attribute is set to a CipherSpec that does not provide encryption. Null ciphers, for example, NULL_SHA, do not provide encryption.
  • You set MQCSP.AuthenticationType to MQCSP_AUTH_USER_ID_AND_PWD. Setting this value enables more checks to be evaluated to decide whether password protection is done. The default value of MQCSP.AuthenticationType is MQCSP_AUTH_NONE. With the default setting, no password protection is done. For more information, see AuthenticationType.
  • If the client is IBM MQ Explorer and user identification compatibility mode is not enabled, which is not the default. This condition is applicable only to IBM MQ Explorer.

If these conditions are not met, the password is sent in plain text unless prohibited by the PasswordProtection configuration setting.

The PasswordProtection configuration setting

The PasswordProtection attribute in the Channels section of the client and queue manager .ini configuration files can prevent passwords from being sent in plain text. The attribute can take 1 of 3 values. The default value is compatible:
compatible
The password can be sent in plain text if either the queue manager or client is running a version earlier than IBM MQ 8.0. That is, plain text passwords are allowed for compatibility.
Therefore:
  • The password is sent encrypted by the TLS CipherSpec if TLS encryption is used and the CipherSpec is not null.
  • The password is sent in plain text if either the queue manager or the client is running a version earlier than IBM MQ 8.0, and TLS encryption is not used. The password is sent in plain text as versions earlier than IBM MQ 8.0 can send passwords only in plain text.
  • The password is sent protected if both the queue manager and the client are running at IBM MQ 8.0 or later, and either a null CipherSpec is used, or TLS encryption is not used. MQCSP.AuthenticationType must be set to MQCSP_AUTH_USER_ID_AND_PWD.
  • The connection fails before the password is sent if both the queue manager and the client are running at IBM MQ 8.0 or later, and MQCSP.AuthenticationType is not set to MQCSP_AUTH_USER_ID_AND_PWD.
always
The password must be either encrypted with a CipherSpec that is not a null CipherSpec, or MQCSP.AuthenticationType must be set to MQCSP_AUTH_USER_ID_AND_PWD. Otherwise, the connection fails. That is, plain text passwords are not allowed.
Therefore:
  • The password is sent encrypted by the TLS CipherSpec if TLS encryption is used and the CipherSpec is not null.
  • The password is sent protected if both the queue manager and the client are running a version of IBM MQ at IBM MQ 8.0 or later, and either TLS encryption is not used, or a null CipherSpec is used. MQCSP.AuthenticationType must be set to MQCSP_AUTH_USER_ID_AND_PWD.
  • The connection fails before the password is sent if either the queue manager or the client is running a version earlier than IBM MQ 8.0, and TLS encryption is not used. As versions earlier than IBM MQ 8.0 can send passwords only in plain text, and always requires the password to be either encrypted or protected, the connection fails.
optional
The password can optionally be sent protected, but is sent in plain text if MQCSP.AuthenticationType is not set to MQCSP_AUTH_USER_ID_AND_PWD. That is, plain text passwords are allowed to be sent by any client.
Therefore:
  • The password is sent encrypted by the TLS CipherSpec if TLS encryption is used and the CipherSpec is not null.
  • The password is sent in plain text if a null CipherSpec is used and MQCSP.AuthenticationType is not set to MQCSP_AUTH_USER_ID_AND_PWD.
  • The password is sent in plain text if either the queue manager or the client is running a version earlier than IBM MQ 8.0, and TLS encryption is not used. The password is sent in plain text as versions earlier than IBM MQ 8.0 can send passwords only in plain text.
  • The password is sent protected if both the queue manager and the client are running at IBM MQ 8.0 or later, TLS encryption is not used or a null CipherSpec is used, and MQCSP.AuthenticationType is set to MQCSP_AUTH_USER_ID_AND_PWD.
For Java and JMS clients, the behavior of the PasswordProtection attribute changes dependent on the choice of using compatibility mode or MQCSP mode:
  • If Java and JMS clients are operating in compatibility mode, an MQCSP structure is not flowed during connection processing. Therefore, the behavior of the PasswordProtection attribute is the same behavior as described for clients that are running a version of IBM MQ earlier than IBM MQ 8.0.
  • If Java and JMS clients are operating in MQCSP mode, the behavior of the PasswordProtection attribute is the behavior as described.
For more information about connection authentication with Java and JMS clients, see Connection authentication with the Java client.