Identifying and authenticating users using the MQCSP structure

You can specify the MQCSP connection security parameters structure on an MQCONNX call.

The MQCSP connection security parameters structure contains a user ID and password, which the authorization service can use to identify and authenticate the user.

You can alter the MQCSP in a security exit.

Warning: In some cases, the password in an MQCSP structure for a client application will be sent across a network in plain text. To ensure that client application passwords are protected appropriately, see MQCSP password protection.

Relationship between MQCSP and AdoptCTX settings

IBM MQ always authenticates credentials passed through the MQCSP structure unless the connection authentication feature is not enabled. Once the credentials have been authenticated successfully, IBM MQ attempts to adopt the userid for future authorization checks unless ADOPTCTX is not enabled.

IBM MQ has a limit on the length of user Ids that it can user for authorization checks. These limits are detailed on User IDs. When adopting a userid passed through the MQCSP structure IBM MQ behaves differently, depending on other configuration options:
  • When using LDAP connection authentication, IBM MQ retrieves the value of the field set in SHORTUSR from the user's LDAP record of that user, and adopts that user Id.

    For example, if SHORTUSR is set to 'CN' and a LDAP record lists a user as 'CN=Test,SN=MQ,O=IBM,C=UK', the user Id Test is used.

  • When using OS connection authentication or PAM authentication, if ADOPTCTX is YES, the user Id passed through the MQCSP structure is truncated in order to meet the 12 character user Id limit of IBM MQ when adopted as the connection context.

    If ChlAuthEarlyAdopt is enabled, the truncation happens after the user credentials have been authenticated.

    If ChlAuthEarlyAdopt is not enabled, the truncation happens before adoption. On Windows, if the user is supplied in the format user@domain, this means that the truncation can result in a domain specification that is not valid when the user is less than 12 characters.

    For example if a user `ibmmq@windowsdomain` is provided through the MQCSP, it is truncated to `ibmmq@window` in this scenario. This results in the following error: 
    AMQ8074W: Authorization failed as the SID 'SID' does not match the entity 'ibmmq@window'

    On this basis, if you pass a user ID longer than 12 characters, such as a Windows domain user ID in the form user@domain, through the MQCSP you should configure ChlAuthEarlyAdopt=Y in the qm.ini file to avoid this error.

    Alternatively, use ADOPTCTX(NO) on the CONNAUTH AUTHINFO configuration, and use an alternate approach such as a CHLAUTH USERMAP rule, a security exit, or the channel object MCAUSER setting to set the user Id for the channel.