Connection authentication: Configuration
A queue manager can be configured to use a supplied user ID and password to check whether a user has authority to access resources.
Turning on connection authentication on a queue manager
On a queue manager object, the CONNAUTH attribute can be set to the name of an authentication information (AUTHINFO) object. This object can be one of two types (AUTHTYPE attribute):
- IDPWOS
- Indicates that the queue manager uses the local operating system to authenticate the user ID and password.
- IDPWLDAP
- Indicates that the queue manager uses an LDAP server to authenticate the user ID and password.
Note: We cannot use any other type of authentication information object in the CONNAUTH field.
IDPWOS and IDPWLDAP are similar in a number of their attributes, which are described here. Other attributes are considered later.
To check local connections, use the AUTHINFO attribute CHCKLOCL (check local connections). To check client connections, use the AUTHINFO attribute CHCKCLNT (check client connections). The configuration must be refreshed before the queue manager recognizes the changes.ALTER QMGR CONNAUTH(USE.PW) DEFINE AUTHINFO(USE.PW) + AUTHTYPE(IDPWOS) + FAILDLAY(10) + CHCKLOCL(OPTIONAL) + CHCKCLNT(REQUIRED) REFRESH SECURITY TYPE(CONNAUTH)Where USE.PW in the CONNAUTH is a string that matches the AUTHINFO definition. Both CHCKLOCL and CHCKCLNT have the same set of possible values that allow the strictness of checking to be varied:
- NONE
- Switches off checking.
- OPTIONAL
- Ensures that if a user ID and password are provided by an application, they are a valid pair, but that it is not mandatory to provide them. This option might be useful during migration, for example.
- REQUIRED
- Requires that all applications provide a valid user ID and password. See also the following note.
- REQDADM
- Privileged users must supply a valid user ID and password, but non-privileged users are treated as with the OPTIONAL setting. See also the following note. (This setting is not allowed on z/OS systems.)
Note:
Set CHCKLOCL to REQUIRED or REQDADM means that we cannot locally administer the queue manager by using runmqsc (error AMQ8135: Not authorized) unless the user specifies the -u UserId parameter on the runmqsc command line. With that set, runmqsc prompts for the user's password at the console.
Similarly, a user running IBM MQ Explorer on the local system will see error AMQ4036 when attempting to connect to the queue manager. To specify a user name and password, right-click the local queue manager object and select Connection Details > Properties... from the menu. In the Userid section, enter the user name and password to be used, then click OK.
Similar considerations apply to remote connections with CHCKCLNT.
CONNAUTH is blank for migrated queue managers but set to SYSTEM.DEFAULT.AUTHINFO.IDPWOS for new queue managers. The preceding AUTHINFO definition has CHCKCLNT set to REQDADM by default.
Therefore, you need to provide the correct operating system password for any existing clients using a privileged user ID to connect.
Warning: In some cases, the password in an MQCSP structure for a client application will be sent across a network in plain text. To ensure that client application passwords are protected appropriately, see MQCSP password protection.Configuration granularity
In addition to CHCKLOCL and CHCKCLNT that are used to turn on user ID and password checking, there are enhancements to the CHLAUTH rules so that more specific configuration can be made using CHCKCLNT.
We can set the overall CHCKCLNT value to OPTIONAL, for example, and then upgrade it to be more stringent for certain channels by setting CHCKCLNT to REQUIRED or REQDADM on the CHLAUTH rule. By default, CHLAUTH rules will run with CHCKCLNT(ASQMGR) so this granularity does not have to be used. For example:DEFINE AUTHINFO(USE.PW) AUTHTYPE(xxxxxx) + CHCKCLNT(OPTIONAL) SET CHLAUTH('*') TYPE(ADDRESSMAP) + ADDRESS('*') USERSRC(CHANNEL) + CHCKCLNT(REQUIRED) SET CHLAUTH('*') TYPE(SSLPEERMAP) + SSLPEER('CN=*') USERSRC(CHANNEL)
Error notification
An error is recorded if an application does not supply a user ID and password when required to, or supplies an incorrect combination even when it is optional. Note: When password checking is turned off, by using the NONE option on either CHCKLOCL or CHCKCLNT, invalid passwords are not detected.
Failed authentications are held for the number of seconds specified by the FAILDLAY attribute before the error is returned to the application. This provides some protection from an application repeatedly trying to connect.
The error is recorded in a number of ways:
- Application
- The application is returned the standard IBM MQ security error, RC2035 - MQRC_NOT_AUTHORIZED.
- Administrator
- An IBM MQ administrator sees the event reported in the error log and can therefore see that the application was rejected because the user ID and password failed the check, rather than because, for example, there was no connection authority .
- Monitor tool
- A monitoring tool can also be notified of the failure, if you turn on authority events by sending an event message to the SYSTEM.ADMIN.QMGR.EVENT queue:
ALTER QMGR AUTHOREV(ENABLED)
This "Not Authorized" event is a Type 1 connect event, and provides the same fields as other Type 1 events, with an additional field, the MQCSP user ID that was provided. The password is not given in the event message. This means that there are two user IDs in the event message: the ID that the application is running under and the ID that the application presented for user ID and password checking.
Relationship to authorization
We can configure a queue manager to mandate that user IDs and passwords are provided by certain applications as the user ID that the application is running under might not be the same user ID that was presented by the application along with a password when the application opens a queue for output, for example:
ALTER QMGR CONNAUTH(USE.PWD) DEFINE AUTHINFO(USE.PWD) + AUTHTYPE(xxxxxx) + CHCKLOCL(OPTIONAL) + CHCKCLNT(REQUIRED) + ADOPTCTX(YES)How user IDs and passwords are handled is controlled by the ADOPTCTX attribute on the authentication information object.
- ADOPTCTX(YES)
- All authorization checks for an application are made with the same user ID that you authenticated by password, by selecting to adopt the context as the application context for the rest of the life of the connection.
- ADOPTCTX(NO)
- An application provides a user ID and password for the purposes of authenticating them at connection time, but then continues by using the user ID that the application is running under for future authorization checks. You might find this option useful when migrating. You might also find it useful to continue using this option, perhaps with client connections, because authorization checks are done by using an assigned message channel agent user identifier (MCAUSER) based on an IP address.
The ADOPTCTX setting has no effect if the user ID presented for authentication by password is the same user ID that the application is also running under.
Attention:
When we use the ADOPTCTX(YES) parameter on an authentication information object, another security context cannot be adopted unless you set the ChlauthEarlyAdopt parameter in the channels stanza of the qm.ini file.
For example, the default authentication information object is set to ADOPTCTX(YES), and the user fred is logged in. The following two CHLAUTH rules are configured:SET CHLAUTH('MY.CHLAUTH') TYPE(ADDRESSMAP) DESCR('Block all access by default') ADDRESS('*') USERSRC(NOACCESS) ACTION(REPLACE) SET CHLAUTH('MY.CHLAUTH') TYPE(USERMAP) DESCR('Allow user bob and force CONNAUTH') CLNTUSER('bob') CHCKCLNT(REQUIRED) USERSRC(CHANNEL)The following command is issued, with the intention of authenticating the command as the adopted security context of the user bob:
runmqsc -c -u bob QMGRIn fact, the queue manager uses the security context of fred, not bob, and the connection fails.
For more information about ChlauthEarlyAdopt, see Attributes of the channels stanza.