Plan identification and authentication
Decide what user IDs to use, and how and at what levels we want to apply authentication controls.
We must decide how we will identify the users of the IBM MQ applications, bearing in mind that different operating systems support user IDs of different lengths. We can use channel authentication records to map from one user ID to another, or to specify a user ID based on some attribute of the connection. IBM MQ channels using TLS use digital certificates as a mechanism for identification and authentication. Each digital certificate has a subject distinguished name which can be mapped onto specific identities using channel authentication records. Additionally, CA certificates in the key repository determine which digital certificates may be used to authenticate to IBM MQ. For more information see:- Mapping a remote queue manager to an MCAUSER user ID
- Mapping a client user ID to an MCAUSER user ID
- Mapping an SSL or TLS Distinguished Name to an MCAUSER user ID
- Mapping an IP address to an MCAUSER user ID
- Plan authentication for a client application
We can apply authentication controls at four levels: at the communications level, in security exits, with channel authentication records, and in terms of the identification that is passed to a security exit.
Parent topic: Plan for the security requirements