Securing AMQP clients
We use a range of security mechanisms to secure connections from AMQP clients and ensure data is suitably protected on the network. We can build security into your MQ Light applications. We can also use existing security features of IBM MQ with AMQP clients, in the same way that the features are used for other applications.
Channel authentication rules (CHLAUTH)
We can use channel authentication rules to restrict the TCP connections to a queue manager. AMQP channels support the use of channel authentication rules that you configure for your queue manager. If channel authentication rules are defined with a profile that matches any AMQP channels on your queue manager, these rules are applied to those channels. By default, channel authentication is enabled on new IBM MQ queue managers so you must complete at least some configuration before we can use an AMQP channel.
For more information about how to configure channel authentication rules to allow AMQP connections to your queue manager, see Creating and using AMQP channels.
Connection authentication (CONNAUTH)
We can use connection authentication to authenticate connections to a queue manager. AMQP channels support the use of connection authentication to control access to the queue manager from AMQP applications.
The AMQP protocol uses the SASL (Simple Authentication and Security Layer) framework to specify how a connection is authenticated. There are various SASL mechanisms and IBM MQ supports two SASL mechanisms: ANONYMOUS and PLAIN.
In the case of ANONYMOUS, no credentials are passed from the client to the queue manager for authentication. If the MQ AUTHINFO object specified in the CONNAUTH attribute has a CHCKCLNT value of REQUIRED or REQDADM (if connecting as an administrative user), the connection is refused. If the value of CHCKCLNT is NONE or OPTIONAL, the connection is accepted.
In the case of PLAIN, a user name and password are passed from the client to the queue manager for authentication. If the MQ AUTHINFO object specified in the CONNAUTH attribute has a CHCKCLNT value of NONE, the connection is refused. If the value of CHCKCLNT is OPTIONAL, REQUIRED, or REQDADM (if connecting as an administrative user), the user name and password is checked by the queue manager. The queue manager checks the operating system (if the AUTHINFO object is of type IDPWOS) or an LDAP repository (if the AUTHINFO object is of type IDPWLDAP).
The following table summarizes this authentication behavior:| SASL mechanism | Credentials passed from client to queue manager? | CHKCLNT value |
|---|---|---|
| ANONYMOUS | No |
REQUIRED or REQDADM - connection refused NONE or OPTIONAL - connection accepted |
| PLAIN | Yes, user name and password |
REQUIRED, REQDADM, or OPTIONAL - user name and password checked by the queue manager NONE - connection refused |
amqp://mwhitehead:mYp4ssw0rd@localhost:5672/sports/football
MCAUSER setting on a channel
AMQP channels have an MCAUSER attribute, which we can use to set the IBM MQ user ID that all connections to that channel are authorized under. All connections from AMQP clients to that channel adopt the MCAUSER ID we have configured. That user ID is used for authorization of messaging on different topics.
You are recommended to use channel authentication (CHLAUTH) to secure connections to queue managers. If you are using channel authentication, you are recommended to configure the value of MCAUSER to a non-privileged user. This ensures that if a connection to a channel is not matched by a CHLAUTH rule, the connection is not authorized to perform any messaging on the queue manager.Note: On Windows, the MCAUSER user ID setting is only supported for user IDs up to 12 characters in length.SSL/TLS support
AMQP channels support SSL/TLS encryption using keys from the key repository configured for your queue manager. AMQP channel configuration options for SSL/TLS encryption support the same options as other types of MQ channel; we can specify a cipher specification and whether the queue manager requires certificates from AMQP client connections.
By using the FIPS attributes of the queue manager we can control the SSL/TLS cipher suites, which we can use to secure connections from AMQP clients.
For information about how to set up a key repository for the queue manager see Working with SSL or TLS on UNIX, Linux and Windows systems.
For information about how to configure SSL/TLS support for an AMQP client connection, see Creating and using AMQP channels.
Java Authentication and Authorization Service (JAAS)
We can optionally configure AMQP channels with a JAAS login module, which can check the user name and password provided by an AMQP client. See Configure JAAS for AMQP channels.