Set up IBM MQ MQI client security

We must consider IBM MQ MQI client security, so that the client applications do not have unrestricted access to resources on the server.

When running a client application, do not run the application using a user ID that has more access rights than necessary; for example, a user in the mqm group or even the mqm user itself.

By running an application as a user with too many access rights, we run the risk of the application accessing and changing parts of the queue manager, either by accident or maliciously.

There are two aspects to security between a client application and its queue manager server: authentication and access control.

• Authentication can be used to ensure that the client application, running as a specific user, is who they say they are. By using authentication we can prevent an attacker from gaining access to your queue manager by impersonating one of the applications.From IBM MQ Version 8.0, authentication is provided by one of two options:
  • The connection authentication feature.

    For more information on connection authentication, see Connection authentication.

  • Use mutual authentication within TLS.

    For more information on TLS, see Work with SSL/TLS.

• Access control can be used to give or remove access rights for a specific user or group of users. By running a client application with a specifically created user (or user in a specific group) we can then use access controls to ensure the application cannot access parts of our queue manager that the application is not supposed to.

  When setting up access control we must consider channel authentication rules and the MCAUSER field on a channel. Both of these features have the ability to change which user ID is being used for verifying access control rights.

  For more information on access control, see Authorizing access to objects.

If we have set up a client application to connect to a specific channel with a restricted ID, but the channel has an administrator ID set in its MCAUSER field then, provided the client application connects successfully, the administrator ID is used for access control checks. Therefore, the client application will have full access rights to your queue manager.

For more information on the MCAUSER attribute, see Mapping a client user ID to an MCAUSER user ID.

Channel authentication rules can also be used as a method for controlling access to a queue manager, by setting up specific rules and criteria for a connection to be accepted.

For more information on channel authentication rules see: Channel authentication records.

• Specify that only FIPS-certified CipherSpecs are used at run time on the MQI client
  Create your key repositories using FIPS-compliant software, then specify that the channel must use FIPS-certified CipherSpecs.
• Running TLS client applications with multiple installations of GSKit V8.0 on AIX
  TLS client applications on AIX might experience MQRC_CHANNEL_CONFIG_ERROR and error AMQ6175 when running on AIX systems with multiple GSKit V8.0 installations.

Parent topic: Set up security