Question & Answer
Question
How to specify userid and password when connecting to IBM MQ?
Cause
IBM MQ v8+ added the Connection Authentication (CONNAUTH) feature to allow checking of user's password when connecting to IBM MQ.
IBM MQ / 9.3
Connection Authentication: Configuration
Connection Authentication: Configuration
Answer
The MQCSP (IBM MQ connection security parameters) structure enables passing specific user ID and password when connecting to IBM MQ. The MQCSP structure was introduced into WebSphere IBM MQ V6. MQCSP allows long (> 12 chars) userid and passwords for user authentication. This will be checked/authentication when CONNAUTH configuration is configured to check the password, ie: CHCKLOCL, CHCKCLNT of OPTIONAL, REQUIRED, REQDADM.
- If NOT using MQCSP, there is a limit on number of characters for the userid and password (12-characters for Unix/Linux). Ensure you use MQCSP to handle longer passwords.
The following provides examples and information on how to pass a userid and password in difference cases and how to ensure you use MQCSP.
For runmqsc:
To specify userid/password for runmqsc, you must use the '-u [userid]' option.
Note: If you have configured the CONNAUTH AUTHINFO record with CHCKLOCL(REQUIRED) or CHCKLOCL(REQDADM), you must use the -u parameter otherwise you will not be able to administer your queue manager with runmqsc.
To specify userid/password for runmqsc, you must use the '-u [userid]' option.
Note: If you have configured the CONNAUTH AUTHINFO record with CHCKLOCL(REQUIRED) or CHCKLOCL(REQDADM), you must use the -u parameter otherwise you will not be able to administer your queue manager with runmqsc.
https://www.ibm.com/docs/en/ibm-mq/9.3?topic=reference-runmqsc-run-mqsc-commands
runmqsc (run MQSC commands)
runmqsc (run MQSC commands)
For some MQ sample programs (amqsputc,amqsgetc,amqsbcg,etc.):
Several IBM MQ Sample programs utilize environment variable named MQSAMP_USER_ID which should be set to the user ID to be used for connection authentication.
When this is set, the program will prompt for a password to accompany that user ID.
Example Windows:
set MQSAMP_USER_ID=user123
amqsputc
Example Unix/Linux:
export MQSAMP_USER_ID=user123
amqsputc
Several IBM MQ Sample programs utilize environment variable named MQSAMP_USER_ID which should be set to the user ID to be used for connection authentication.
When this is set, the program will prompt for a password to accompany that user ID.
Example Windows:
set MQSAMP_USER_ID=user123
amqsputc
Example Unix/Linux:
export MQSAMP_USER_ID=user123
amqsputc
https://www.ibm.com/docs/en/ibm-mq/9.3?topic=programs-running-put-sample
Running the Put sample programs
Running the amqsput and amqsputc samples
Running the Put sample programs
Running the amqsput and amqsputc samples
Connection authentication with the Java/JMS client:
- In IBM MQ classes for Java, set the property MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY to true in the properties hashtable that is passed to the com.ibm.mq.MQQueueManager constructor.
- In IBM MQ classes for JMS, set the property JmsConstants.USER_AUTHENTICATION_MQCSP to true, on the appropriate connection factory before creating the connection.
- Globally, set the JVM system property com.ibm.mq.cfg.jmqi.useMQCSPauthentication to a value indicating true, for example, by adding -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=Y to the command line.
https://www.ibm.com/docs/en/ibm-mq/9.3?topic=authentication-connection-java-client
Connection authentication with the Java client
Connection authentication with the Java client
Old (pre IBM MQv8) Java client only sends userid and password in the MQCD, which has 12-character limit. Ensure you are using a later IBM MQ Java client and ensure you enable MQCSP per above.
From IBM MQ 9.2.1, if a user ID and password are specified, MQCSP authentication is used by default.
In versions earlier than IBM MQ 9.2.1, if a user ID and password are specified, the default mode is as follows:
- MQCSP authentication is used by default by applications that use IBM MQ classes for Java.
- Compatibility mode is used by default by applications that use IBM MQ classes for JMS.
How to specify a userid and a password in MQ Explorer:
See Chapter 3 for using the MQCSP structure:
(do NOT enable the checkbox for "User identification compatibility mode")
These are the chapters:
Chapter 1: Setup of a connection for a remote queue manager
Chapter 2: Specifying userid and password using the default compatibility mode ("User identification compatibility mode" - checkbox enabled by default)
Chapter 3: Specifying userid and password using MQCSP Authentication mode (NOT using ""User identification compatibility mode" - need to disable the checkbox)
(do NOT enable the checkbox for "User identification compatibility mode")
These are the chapters:
Chapter 1: Setup of a connection for a remote queue manager
Chapter 2: Specifying userid and password using the default compatibility mode ("User identification compatibility mode" - checkbox enabled by default)
Chapter 3: Specifying userid and password using MQCSP Authentication mode (NOT using ""User identification compatibility mode" - need to disable the checkbox)
User identification for MQ Explorer
Using userid and password from WebSphere Application Server to Websphere MQ via a J2C authentication alias:
Enterprise applications, the WebSphere Application Server WebSphere MQ messaging provider connection factories and Authentication Aliases explained
Old applications which did not provide userid and password:
The suggestion would be to update the applications to provide userid and password (see below.)
If your application cannot be modified, possibly a security exit can be utilized or created.
If your application cannot be modified, possibly a security exit can be utilized or created.
IBM provides a client-side channel security exit called mqccred which can possibly be used.
There is also a link to step-by-step example of using mqccred, see:
There is also a link to step-by-step example of using mqccred, see:
https://www.ibm.com/docs/en/ibm-mq/9.3?topic=ca-client-side-security-exit-insert-user-id-password-mqccred
Client side security exit to insert user ID and password ( mqccred )
Client side security exit to insert user ID and password ( mqccred )
To modify/develop applications to enable passing userid and password:
Application examples for connection authentication:
Application examples for connection authentication:
MQI/c program:
For an application using MQI to connect to queue manager, MQCONNX call and MQCSP structure should be used. Sample C fragment code for connection authentication
char *QMName = "queue_manager";
char *Userid = "user_id";
char *Password = "password";
MQCNO cno = {MQCNO_DEFAULT};
MQCSP csp = {MQCSP_DEFAULT};
cno.SecurityParmsPtr = &csp;
cno.Version = MQCNO_VERSION_5;
csp.AuthenticationType = MQCSP_AUTH_USER_ID_AND_PWD;
csp.CSPuser IDPtr = Userid;
csp.CSPuser IDLength = strlen(Userid);
csp.CSPPasswordPtr = Password;
csp.CSPPasswordLength = strlen(csp.CSPPasswordPtr);
MQCONNX(QMName, &cno, &Hcon, &CompCode, &CReason);
Object-oriented languages:
char *QMName = "queue_manager";
char *Userid = "user_id";
char *Password = "password";
MQCNO cno = {MQCNO_DEFAULT};
MQCSP csp = {MQCSP_DEFAULT};
cno.SecurityParmsPtr = &csp;
cno.Version = MQCNO_VERSION_5;
csp.AuthenticationType = MQCSP_AUTH_USER_ID_AND_PWD;
csp.CSPuser IDPtr = Userid;
csp.CSPuser IDLength = strlen(Userid);
csp.CSPPasswordPtr = Password;
csp.CSPPasswordLength = strlen(csp.CSPPasswordPtr);
MQCONNX(QMName, &cno, &Hcon, &CompCode, &CReason);
Object-oriented languages:
Such as the Java classes, properties are set before connecting to the queue manager. Java code fragment for connection authentication
String QMName = "queue_manager";
String Userid = "user_id";
String Password = "password";
Hashtable h = new Hashtable();
h.put(MQConstants.USER_ID_PROPERTY, Userid);
h.put(MQConstants.PASSWORD_PROPERTY, Password);
h.put(MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
MQQueueManager qMgr = new MQQueueManager(QMName,h)
Or the MQEnvironment property class can also be used
String QMName = "queue_manager";
String Userid = "user_id";
String Password = "password";
MQEnvironment.properties = new Hashtable();
MQEnvironment.userID = Userid;
MQEnvironment.password =Password;
MQQueueManager qMgr = new MQQueueManager(QMName);
JMS & XMS: Connection methods take/pass user id and password parameters
connectionFactory.createConnection(Userid,Password)
String QMName = "queue_manager";
String Userid = "user_id";
String Password = "password";
Hashtable h = new Hashtable();
h.put(MQConstants.USER_ID_PROPERTY, Userid);
h.put(MQConstants.PASSWORD_PROPERTY, Password);
h.put(MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
MQQueueManager qMgr = new MQQueueManager(QMName,h)
Or the MQEnvironment property class can also be used
String QMName = "queue_manager";
String Userid = "user_id";
String Password = "password";
MQEnvironment.properties = new Hashtable();
MQEnvironment.userID = Userid;
MQEnvironment.password =Password;
MQQueueManager qMgr = new MQQueueManager(QMName);
JMS & XMS: Connection methods take/pass user id and password parameters
connectionFactory.createConnection(Userid,Password)
if using Connection factory:
Connection connection = null;
try {
// Create a connection factory
JmsFactoryFactory ff = JmsFactoryFactory.getInstance(WMQConstants.WMQ_PROVIDER);
JmsConnectionFactory cf = ff.createConnectionFactory();
Connection connection = null;
try {
// Create a connection factory
JmsFactoryFactory ff = JmsFactoryFactory.getInstance(WMQConstants.WMQ_PROVIDER);
JmsConnectionFactory cf = ff.createConnectionFactory();
// Set the properties
cf.setStringProperty(WMQConstants.WMQ_HOST_NAME, "localhost");
cf.setIntProperty(WMQConstants.WMQ_PORT, 1414);
cf.setStringProperty(WMQConstants.WMQ_CHANNEL, "MYCHANNEL");
cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, "QM1");
cf.setStringProperty(WMQConstants.USERID, "user123");
cf.setStringProperty(WMQConstants.PASSWORD, "passw0rd");
cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
cf.setStringProperty(WMQConstants.WMQ_HOST_NAME, "localhost");
cf.setIntProperty(WMQConstants.WMQ_PORT, 1414);
cf.setStringProperty(WMQConstants.WMQ_CHANNEL, "MYCHANNEL");
cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, "QM1");
cf.setStringProperty(WMQConstants.USERID, "user123");
cf.setStringProperty(WMQConstants.PASSWORD, "passw0rd");
cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
// Make the connection
connection = cf.createConnection();
}
catch (JMSException jmsex) {
System.out.println(jmsex);
}
connection = cf.createConnection();
}
catch (JMSException jmsex) {
System.out.println(jmsex);
}
+++ end +++
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008KIAAY","label":"Security-\u003EAuthentication"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
15 November 2023
UID
ibm16198838