MQ Light client identification, authorization, and authentication

Like other IBM MQ client applications, you can secure AMQP connections in a number of ways.

We can use the following security features to secure AMQP connections to IBM MQ:

From a security perspective, establishing a connection consists of the following two steps:

  • Deciding whether the connection should continue
  • Deciding which IBM MQ identity the application assumes for later authority checks

The following information outlines different IBM MQ configurations and the steps that are worked through when an AMQP client tries to make a connection. Not all IBM MQ configurations use all of the steps described. For example, some configurations do not use TLS for connections inside the company firewall and some configurations use TLS but do not use client certificates for authentication. Many environments do not use custom or custom JAAS modules.


Establishing a connection

The following steps describe what happens when a connection is being established by an AMQP client. The steps determine whether the connection continues and which IBM MQ identity the application assumes for authority checks:

  1. If the client opens a TLS connection to IBM MQ and provides a certificate, the queue manager attempts to validate the client certificate.
  2. If the client provides user name and password credentials, an AMQP SASL frame is received by the queue manager and MQ CONNAUTH configuration is checked.
  3. MQ channel authentication rules are checked (for example, whether the IP address and TLS certificate DN are valid)
  4. Channel MCAUSER is asserted, unless channel authentication rules determine otherwise.
  5. If a JAAS module has been configured, it is invoked
  6. MQ CONNECT authority check applied to resulting MQ user ID.
  7. Connection established with an assumed IBM MQ identity.


Publishing a message

The following steps describe what happens when a message is being published by an AMQP client. The steps determine whether the connection continues and which IBM MQ identity the application assumes for authority checks:

  1. AMQP link attach frame arrives at queue manager. IBM MQ publish authority for the specified topic string is checked for the MQ user identity established during connection.
  2. Message is published to specified topic string.


Subscribing to a topic pattern

The following steps describe what happens when an AMQP client subscribes to a topic pattern. The steps determine whether the connection continues and which IBM MQ identity the application assumes for authority checks:

  1. AMQP link attach frame arrives at queue manager. IBM MQ subscribe authority for the specified topic pattern is checked for the MQ user identity established during connection.
  2. Subscription is created.