Setting up IBM MQ MQI client security

You must consider IBM® MQ MQI client security, so that the client applications do not have unrestricted access to resources on the server.

When running a client application, do not run the application using a user ID that has more access rights than necessary; for example, a user in the mqm group or even the mqm user itself.

By running an application as a user with too many access rights, you run the risk of the application accessing and changing parts of the queue manager, either by accident or maliciously.

There are two aspects to security between a client application and its queue manager server: authentication and access control.

Authentication can be used to ensure that the client application, running as a specific user, is who they say they are. By using authentication you can prevent an attacker from gaining access to your queue manager by impersonating one of your applications.
From IBM MQ 8.0, authentication is provided by one of two options:
- The connection authentication feature.
  For more information on connection authentication, see Connection authentication.
- Using mutual authentication within TLS.
  For more information on TLS, see Working with SSL/TLS.
Access control can be used to give or remove access rights for a specific user or group of users. By running a client application with a specifically created user (or user in a specific group) you can then use access controls to ensure the application cannot access parts of your queue manager that the application is not supposed to.
When setting up access control you must consider channel authentication rules and the MCAUSER field on a channel. Both of these features have the ability to change which user ID is being used for verifying access control rights.

For more information on access control, see Authorizing access to objects.

If you have set up a client application to connect to a specific channel with a restricted ID, but the channel has an administrator ID set in its MCAUSER field then, provided the client application connects successfully, the administrator ID is used for access control checks. Therefore, the client application will have full access rights to your queue manager.

For more information on the MCAUSER attribute, see Mapping a client user ID to an MCAUSER user ID.

Channel authentication rules can also be used as a method for controlling access to a queue manager, by setting up specific rules and criteria for a connection to be accepted.

For more information on channel authentication rules see: Channel authentication records.