Implementing access control in security exits

You can implement access control in a security exit by use of the MCAUserIdentifier or the object authority manager.

MCAUserIdentifier

Every instance of a channel that is current has an associated channel definition structure, MQCD. The initial values of the fields in MQCD are determined by the channel definition that is created by an IBM® MQ administrator. In particular, the initial value of one of the fields, MCAUserIdentifier, is determined by the value of the MCAUSER parameter on the DEFINE CHANNEL command, or by the equivalent to MCAUSER if the channel definition is created in another way.

The MQCD structure is passed to a channel exit program when it is called by an MCA. When a security exit is called by an MCA, the security exit can change the value of MCAUserIdentifier, replacing any value that was specified in the channel definition.

[UNIX, Linux, Windows, IBM i]On Multiplatforms, unless the value of MCAUserIdentifier is blank, the queue manager uses the value of MCAUserIdentifier as the user ID for authority checks when an MCA attempts to access the queue manager's resources after it has connected to the queue manager. If the value of MCAUserIdentifier is blank, the queue manager uses the default user ID of the MCA instead. This applies to RCVR, RQSTR, CLUSRCVR and SVRCONN channels. For sending MCAs, the default user ID is always used for authority checks, even if the value of MCAUserIdentifier is not blank.

[z/OS]On z/OS®, the queue manager might use the value of MCAUserIdentifier for authority checks, provided it is not blank. For receiving MCAs and server connection MCAs, whether the queue manager uses the value of MCAUserIdentifier for authority checks depends on:
  • The value of the PUTAUT parameter in the channel definition
  • The RACF® profile used for the checks
  • The access level of the channel initiator address space user ID to the RESLEVEL profile
For sending MCAs, it depends on:
  • Whether the sending MCA is a caller or a responder
  • The access level of the channel initiator address space user ID to the RESLEVEL profile
The user ID that a security exit stores in MCAUserIdentifier can be acquired in various ways. Here are some examples:
  • Provided there is no security exit at the client end of an MQI channel, a user ID associated with the IBM MQ client application flows from the client connection MCA to the server connection MCA when the client application issues an MQCONN call. The server connection MCA stores this user ID in the RemoteUserIdentifier field in the channel definition structure, MQCD. If the value of MCAUserIdentifier is blank at this time, the MCA stores the same user ID in MCAUserIdentifier. If the MCA does not store the user ID in MCAUserIdentifier, a security exit can do it later by setting MCAUserIdentifier to the value of RemoteUserIdentifier.

    If the user ID that flows from the client system is entering a new security domain and is not valid on the server system, the security exit can substitute the user ID for one that is valid and store the substituted user ID in MCAUserIdentifier.

  • The user ID can be sent by the partner security exit in a security message.

    On a message channel, a security exit called by the sending MCA can send the user ID under which the sending MCA is running. A security exit called by the receiving MCA can then store the user ID in MCAUserIdentifier. Similarly, on an MQI channel, a security exit at the client end of the channel can send the user ID associated with the IBM MQ MQI client application. A security exit at the server end of the channel can then store the user ID in MCAUserIdentifier. As in the previous example, if the user ID is not valid on the target system, the security exit can substitute the user ID for one that is valid and store the substituted user ID in MCAUserIdentifier.

    If a digital certificate is received as part of the identification and authentication service, a security exit can map the Distinguished Name in the certificate to a user ID that is valid on the target system. It can then store the user ID in MCAUserIdentifier.

  • If TLS is used on the channel, the partner's Distinguished Name (DN) is passed to the exit in the SSLPeerNamePtr field of the MQCD, and the DN of the issuer of that certificate is passed to the exit in the SSLRemCertIssNamePtr field of the MQCXP.

For more information about the MCAUserIdentifier field, the channel definition structure, MQCD, and the channel exit parameter structure, MQCXP, see Channel-exit calls and data structures. For more information about the user ID that flows from a client system on an MQI channel, see Access control.

Note: Security exit applications constructed prior to the release of IBM WebSphere® MQ 7.1 might require updating. For more information see Channel security exit programs.

IBM MQ object authority manager user authentication

On IBM MQ MQI client connections, security exits can be used to modify or create the MQCSP structure used in object authority manager (OAM) user authentication. This is described in Channel-exit programs for messaging channels