+

Search Tips | Advanced Search

Access control for clients

Access control is based on user IDs. There can be many user IDs to administer, and user IDs can be in different formats. We can set the server-connection channel property MCAUSER to a special user ID value for use by clients.

Access control in IBM MQ is based on user IDs. The user ID of the process making MQI calls is normally used. For MQ MQI clients, the server-connection MCA makes MQI calls on behalf of MQ MQI clients. We can select an alternative user ID for the server-connection MCA to use for making MQI calls. The alternative user ID can be associated either with the client workstation, or with anything you choose to organize and control the access of clients. The user ID needs to have the necessary authorities allocated to it on the server to issue MQI calls. Choosing an alternative user ID is preferable to allowing clients to make MQI calls with the authority of the server-connection MCA.

Table 1. The user ID used by a server-connection channel
User ID When used
The user ID that is set by a security exit Used unless blocked by a CHLAUTH TYPE(BLOCKUSER) rule. See the following section, Set the user ID in a security exit for more information.
The user ID that is set by a CHLAUTH rule Used unless over-ridden by a security exit. See Channel Authentication Records for more information.
The user ID that is defined in the MCAUSER attribute in the SVRCONN channel definition Used unless over-ridden by a security exit or a CHLAUTH rule.
The user ID that is flowed from the client machine Used when no user ID is set by any other means.
The user ID that started the server-connection channel Used when no user ID is set by any other means and no client user ID is flowed. See the following section, The user ID that runs the channel program for more information.
Because the server-connection MCA makes MQI calls on behalf of remote users, it is important to consider the security implications of the server-connection MCA issuing MQI calls on behalf of remote clients and how to administer the access of a potentially large number of users.


Set the user ID in a security exit

For IBM MQ MQI clients, the process that issues the MQI calls is the server-connection MCA. The user ID used by the server-connection MCA is contained in either the MCAUserIdentifier or LongMCAUserIdentifier fields of the MQCD. The contents of these fields are set by:

The security exit can override the values that are visible to it, when it is invoked.

The IBM MQ client does not flow the asserted user ID to the server when a client-side security exit is in use.


The user ID that runs the channel program

When the user ID fields are derived from the user ID that started the server-connection channel, the following value is used:

If any server-connection channel definitions exist that have the MCAUSER attribute set to blank, clients can use this channel definition to connect to the queue manager with access authority determined by the user ID supplied by the client. This might be a security exposure if the system on which the queue manager is running allows unauthorized network connections. The IBM MQ default server-connection channel (SYSTEM.DEF.SVRCONN) has the MCAUSER attribute set to blank. To prevent unauthorized access, update the MCAUSER attribute of the default definition with a user ID that has no access to IBM MQ MQ objects.


Case of user IDs

When you define a channel with runmqsc, the MCAUSER attribute is changed to uppercase unless the user ID is contained within single quotation marks.

For servers on UNIX, Linux , and Windows, the content of the MCAUserIdentifier field that is received from the client is changed to lowercase.

For servers on IBM i, the content of the LongMCAUserIdentifier field that is received from the client is changed to uppercase.

For servers on UNIX and Linux systems, the content of the LongMCAUserIdentifier field that is received from the client is changed to lowercase.

By default, the user ID that is passed when a MQ JMS binding application is used, is the user ID for the JVM the application is running on.

It is also possible to pass a user ID via the createQueueConnection method.