IBM MQ for z/OS server connection channel

The IBM MQ for z/OS SVRCONN channel is not secure without implementing channel authentication, or adding a security exit using TLS. SVRCONN channels do not have a security exit defined by default.


Security concerns

SVRCONN channels are not secure as initially defined, SYSTEM.DEF.SVRCONN for example. To secure a SVRCONN channel we must set up channel authentication using the SET CHLAUTH command, or install a security exit and implement TLS.

We must use a publicly available sample security exit, write a security exit yourself, or purchase a security exit.

There are several samples available that we can use as a good starting point for writing your own SVRCONN channel security exit.

In IBM MQ for z/OS, the member CSQ4BCX3 in your hlq.SCSQC37S library is a security exit sample written in the C language. Sample CSQ4BCX3 is also shipped pre-compiled in your hlq.SCSQAUTH library.

We can implement the CSQ4BCX3 sample exit by copying the compiled member hlq.SCSQAUTH(CSQ4BCX3) into a load library that is allocated to the CSQXLIB DD in your CHIN Proc. Note that the CHIN requires the load library to be set as "Program Controlled".

Alter your SVRCONN channel to set CSQ4BCX3 as the security exit.

When a client connects using that SVRCONN channel, CSQ4BCX3 will authenticate using the RemoteUserIdentifier and RemotePassword pair from MQCD or, from Version 9.1.4, the CSPUserIdPtr and CSPPasswordPtr pair from the MQCSP. If authentication is successful it will copy RemoteUserIdentifier into MCAUserIdentifier, changing the identity context of the thread.

For Long Term Support and Continuous Delivery before Version 9.1.4, when a client connects using that SVRCONN channel, CSQ4BCX3 will authenticate using the RemoteUserIdentifier and RemotePassword pair from MQCD. If authentication is successful it will copy RemoteUserIdentifier into MCAUserIdentifier, changing the identity context of the thread.

If we are writing an IBM MQ Java client we can use pop-ups to query the user and set MQEnvironment.userID and MQEnvironment.password. These values will be passed when the connection is made.

Now that we have a functional security exit, there is the additional concern that the userid and password are being transmitted in plain text across the network when the connection is made, as are the contents of any subsequent IBM MQ messages. We can use TLS to encrypt this initial connection information as well as the contents of any MQ messages.


Example

To secure the IBM MQ Explorer SVRCONN channel SYSTEM.ADMIN.SVRCONN complete the following steps:
  1. Copy hlq.SCSQAUTH(CSQ4BCX3) into a load library that is allocated to the CSQXLIB DD in the CHINIT Proc.
  2. Verify that load library is Program Controlled.
  3. Alter the SYSTEM ADMIN.SVRCONN to use security exit CSQ4BCX3.
  4. In IBM MQ Explorer, right-click the z/OS Queue Manager name, select Connection Details > Properties > Userid and enter your z/OS user ID.
  5. Connect to the z/OS Queue Manager by entering a password.


Additional information

For exit CSQ4BCX3 to run in a Program Controlled environment, everything loaded into the CHIN address space must be loaded from a Program Controlled library, for example, all libraries in STEPLIB and any libraries named on CSQXLIB DD. To set a load library as Program Controlled issue RACF commands. In the following example the load library name is MY.TEST.LOADLIB. 
RALTER PROGRAM * ADDMEM('MY.TEST.LOADLIB'//NOPADCHK)
SETROPTS WHEN(PROGRAM)REFRESH
To alter the SVRCONN channel to implement CSQ4BCX3, issue the following MQ command: 
ALTER CHANNEL( SYSTEM ADMIN.SVRCONN) CHLTYPE(SVRCONN) SECYEXIT(CSQ4BCX3)
In the example above, the SVRCONN channel name being used is SYSTEM ADMIN.SVRCONN.

See Channel exit programs for more information about channel exits.

Parent topic: Channel authorization


Related information