Security considerations when using the MQ Service Provider

There are two sets of security considerations for the MQ Service Provider.

  • Whether a given user can submit RESTful requests to MQ Service Provider services exposed by z/OSĀ® Connect.
  • Whether a given MQ Service Provider service is authorized to access the queue manager and its resources.


Whether a given user can submit RESTful requests to MQ Service Provider services exposed from z/OS Connect

This is controlled by configuration in the server.xml file of z/OS Connect.

For z/OS Connect EE, see Configure security for z/OS Connect EE.

For z/OS Connect V1, see Configure security for z/OS Connect.


Whether a given MQ Service Provider service is authorized to access the queue manager and its resources

The MQ Service Provider is fundamentally a JMS application, based off the IBM MQ messaging provider that comes with WLP, that connects to one or more queue managers using bindings mode connections.

As a result, MQ Service Provider can be secured in the same way as applications that share these traits. This topic describes these similarities as well as pointing out the differences.

As the MQ Service Provider is a bindings application, it connects to a queue manager and presents a user ID and optional password. These are optionally validated using Connection authentication.

If valid, the user is allowed to connect depending on the security configuration of the queue manager. See Set up security on z/OS for more information.

Configuration attributes on the mqzOSConnectService element, and the properties.wmqJMS sub-element of the jmsConnectFactory element in server.xml, affect which user ID, and optional password, are presented to the queue manager.

The various possibilities are detailed in the following table.Attention: There is a precedence order amongst the security configuration properties. mqzOSConnectService attributes override properties.wmqJms attributes, and the useCallerPrincipal attribute overrides all other attributes.

Both password attributes can be provided in plain text or encoded format. You should use the encoded format, as anyone with access to the server.xml can view the password in plain text.

Both versions of z/OS Connect ship with a tool called securityUtility which can be used to encode passwords. See Liberty: securityUtility command for more information.

Table 1. Service authorizations
mqzOSConnectService element properties.wmqJms element Result
useCallerPrincipal userName and password userName password  
not set/false not set/blank not set/blank not set/blank The user name associated with the z/OS Connect address space is presented to the queue manager for authorization and authentication purposes. No password is presented.
not set/false not set/blank set not set/blank The user name on the properties.wmqJms element is presented to the queue manager for authorization and authentication purposes. No password is presented.
not set/false not set/blank set set The user name and password on the properties.wmqJms element are presented to the queue manager for authorization and authentication purposes.
not set/false both values set ignored if set ignored if set The user name and password on the mqzOSConnectService element are presented to the queue manager for authorization and authentication purposes.
true ignored if set ignored if set ignored if set

The user principal that has been authenticated to z/OS Connect is taken, and its user name is presented to the queue manager for authorization and authentication purposes. No password is presented.

Information on how to configure security for z/OS Connect EE is here1 .

Information for z/OS Connect Version 1 is here 2.
Notes:
  1. Configure security for z/OS Connect EE
  2. Configure security for z/OS Connect


Examples

This shows a one-way service where both the connection factory and the mqzOSConnectService both specify a userID and password. In both cases the passwords are encoded. The userID and password that are defined on the mqzOSConnectService definition are used.

z/OS Connect V1
<zosConnectService
id="samplezOSConnectService1"
invokeURI="/samplezOSConnectService1"
serviceName="samplezOSConnectService1_name"
serviceRef="samplezOSConnectService1_MQ" />

<mqzOSConnectService
id="samplezOSConnectService1_MQ"
connectionFactory="jms/sampleCF1"
userName="bill"
password="{aes}AJ+DdZ+1uOKEG5KIwUz4LvHBAQ8nTd3y8K8HAIt+48Tt"
destination="jms/sampleQ1" />

<jmsConnectionFactory
id="sampleCF1"
jndiName="jms/sampleCF1"
connectionManagerRef="sampleCF2ConnectionManager1">

<properties.wmqJms
transportType="BINDINGS"
queueManager="MQ21"
userName="matt"
password="{xor}GBMeEg9uERg=" />
</jmsConnectionFactory>


<jmsQueue
id="sampleQ1"
jndiName="jms/sampleQ1">

<properties.wmqJms
baseQueueName="SampleQ1"/>
</jmsQueue>
z/OS Connect EE
<zosconnect_zosConnectService
id="samplezOSConnectService1"
invokeURI="/samplezOSConnectService1"
serviceName="samplezOSConnectService1_name"
serviceRef="samplezOSConnectService1_MQ" />

<mqzosconnect_mqzOSConnectService
id="samplezOSConnectService1_MQ"
connectionFactory="jms/sampleCF1"
userName="bill"
password="{aes}AJ+DdZ+1uOKEG5KIwUz4LvHBAQ8nTd3y8K8HAIt+48Tt"
destination="jms/sampleQ1" />

<jmsConnectionFactory
id="sampleCF1"
jndiName="jms/sampleCF1"
connectionManagerRef="sampleCF2ConnectionManager1">

<properties.wmqJms
transportType="BINDINGS"
queueManager="MQ21"
userName="matt"
password="{xor}GBMeEg9uERg=" />
</jmsConnectionFactory>


<jmsQueue
id="sampleQ1"
jndiName="jms/sampleQ1">

<properties.wmqJms
baseQueueName="SampleQ1"/>
</jmsQueue>

This example shows a one way service definition that uses the same JMS objects (the queue sampleQ1, and connection factory sampleCF1) as the first example. The principal that is authenticated to z/OS Connect is presented to the queue manager because useCallerPrincipal="true" is specified.

z/OS Connect V1
<zosConnectService
id="samplezOSConnectService2"
invokeURI="/samplezOSConnectService2"
serviceName="samplezOSConnectService2_name"
serviceRef="samplezOSConnectService2_MQ" />

<mqzOSConnectService
id="samplezOSConnectService2_MQ"
connectionFactory="jms/sampleCF1"
destination="jms/sampleQ1"
useCallerPrincipal="true" />
z/OS Connect EE
<zosconnect_zosConnectService
id="samplezOSConnectService2"
invokeURI="/samplezOSConnectService2"
serviceName="samplezOSConnectService2_name"
serviceRef="samplezOSConnectService2_MQ" />

<mqzosconnect_mqzOSConnectService
id="samplezOSConnectService2_MQ"
connectionFactory="jms/sampleCF1"
destination="jms/sampleQ1"
useCallerPrincipal="true" />