Implement access control in message exits

We might need to use a message exit to substitute one user ID with another.

Consider a client application that sends a message to a server application. The server application can extract the user ID from the UserIdentifier field in the message descriptor and, provided it has alternate user authority, ask the queue manager to use this user ID for authority checks when it accesses IBM MQ resources on behalf of the client.

If the PUTAUT parameter is set to CTX (or ALTMCA on z/OS ) in the channel definition, the user ID in the UserIdentifier field of each incoming message is used for authority checks when the MCA opens the destination queue.

In certain circumstances, when a report message is generated, it is put using the authority of the user ID in the UserIdentifier field of the message causing the report. In particular, confirm-on-delivery (COD) reports and expiration reports are always put with this authority.

Because of these situations, it might be necessary to substitute one user ID for another in the UserIdentifier field as a message enters a new security domain. This can be done by a message exit at the receiving end of the channel. Alternatively, we can ensure that the user ID in the UserIdentifier field of an incoming message is defined in the new security domain.

If an incoming message contains a digital certificate for the user of the application that sent the message, a message exit can validate the certificate and map the Distinguished Name in the certificate to a user ID that is valid on the receiving system. It can then set the UserIdentifier field in the message descriptor to this user ID.

If it is necessary for a message exit to change the value of the UserIdentifier field in an incoming message, it might be appropriate for the message exit to authenticate the sender of the message at the same time. For more details, see Identity mapping in message exits.

Parent topic: Authorizing access to objects