MQ Light client authentication using a password

MQ Light client authentication using a password

Authenticate the MQ Light user name using the client password. We can authenticate the client using a different identity from the identity used to authorize the client to publish and subscribe to topics.

The AMQP service can use MQ CONNAUTH or JAAS to authenticate the client user name. If one of these is configured, the password provided by the client is verified by the MQ CONNAUTH configuration or the JAAS module.
The following procedure outlines example steps to authenticate individual users against the local OS users and passwords and, if successful, adopt the common identity AMQPUser:
The IBM MQ administrator sets the AMQP channel MCAUSER identity to any name, such as AMQPUser, using IBM MQ Explorer.
The IBM MQ administrator authorizes AMQPUser to publish and subscribe to any topic:
setmqaut -m QM1 -t topic -n SYSTEM.BASE.TOPIC -p AMQPUser -all +pub +sub +connect
The IBM MQ administrator configures an IDPWOS CONNAUTH rule to check the user name and password presented by the client. The CONNAUTH rule should set CHCKCLNT(REQUIRED) and ADOPTCTX(NO).
Note: You are recommended to use channel authentication rules and to set the MCAUSER channel attribute to a user who has no privileges, to allow more control over connections to the queue manager.
Parent topic: MQ Light client identification, authorization, and authentication