Client side security exit to insert user ID and password ( mqccred )

If we have any client applications that are required to send a user ID or password but we are unable to change the source yet, there is a security exit shipped with IBM MQ Version 8.0 called mqccred that we can use. mqccred provides a user ID and password on behalf of the client application, from a .ini file. This user ID and password are sent to the queue manager which, if configured to do so, will authenticate them.


Overview

mqccred is a security exit that runs on the same machine as your client application. It allows user ID and password information to be supplied on behalf of the client application, where that information is not being supplied by the application itself. The user ID and password information is supplied in a structure known as the Connection Security Parameters (MQCSP) and will be authenticated by the queue manager if connection authentication is configured.

User ID and password information is retrieved from a .ini file on the client machine. The passwords in the file are protected by obfuscation using the runmqccred command, and also by ensuring the file permissions on the .ini file are set such that only the user ID running the client application (and therefore the exit) are able to read it.


Location

mqccred is installed:

    Windows platforms
    In the installation_directory\Tools\c\Samples\mqccred\ directory

    UNIX platforms
    In the installation_directory/samp/mqccred directory

Notes: The exit:

  1. Acts purely as a security channel exit, and needs to be the only such exit defined on a channel.
  2. Is usually named through the Client Channel Definition Table (CCDT), but a Java client can have the exit mentioned in the JNDI objects directly, or the exit might be configured for applications that manually construct the MQCD structure.
  3. We must copy the mqccred and mqccred_r programs to the var/mqm/exits directory. For example, on a 64 bit UNIX platform machine, issue the command:
    cp installation_directory/samp/mqccred/lib64/* /var/mqm/exits

    See A step by step example of how to test mqccred for more information.

  4. Is capable of running on previous versions of IBM MQ ; as far back as Version 7.0.1.


Set up user IDs and passwords

The .ini file contains stanzas for each queue manager, with a global setting for unspecified queue managers. Each stanza contains the name of the queue manager, a user ID, and either a plain text or obfuscated password.

We must edit the .ini file by hand, using whichever editor we want, and add the plain text password attribute to the stanzas. Run the provided, runmqccred program, which takes the .ini file and replaces the Password attribute with the OPW attribute, an obfuscated form of the password.

See runmqccred for a description of the command and its parameters.

The mqccred.ini file contains your user ID and password information.

A template .ini file is provided in the same directory as the exit to provide a starting point for the enterprise.

By default, this file will be looked for in $HOME/.mqs/mqccred.ini. If you would like to locate it elsewhere, we can use the environment variable MQCCRED to point at it:
MQCCRED=C:\mydir\mqccred.ini

If we use MQCCRED, the variable must include the full name of the configuration file, including any .ini filetype. Since this file contains passwords (even if obfuscated), we are expected to protect the file using operating system privileges to ensure unauthorized people cannot read it. If we do not have the correct file permission, the exit will not run successfully.

If the application has already supplied an MQCSP structure, the exit normally respects this and will not insert any information from the .ini file. However, we can override this by using the Force attribute in the stanza.

Set Force to the value TRUE removes the application-supplied user ID and password, and replaces those with the ini file version.

We can also set the Force attribute in the global section of the file to set the default value of that file.

The default value for Force is FALSE.

We can provide a user ID and password for all queue managers, or for each individual queue manager. This is an example of an mqccred.ini file:
# comments are permitted
AllQueueManagers:
User=abc
OPW=%^&aervrgtsr

QueueManager:
Name=QMA
User=user1
OPW=H&^dbgfh

Force=TRUE

QueueManager:
Name=QMB
User=user2
password=passw0rd
Notes:
  1. The individual queue manager definitions take precedence over the global setting.
  2. Attributes are case insensitive.


Constraints

When this exit is in use, the local user ID of the person running the application does not flow from the client to the server. The only identity information available is from the ini file contents.

Therefore, we must configure the queue manager to either use ADOPTCTX(YES), or map the inbound connection request to an appropriate user ID through one of the available mechanisms, for example, Channel authentication records.

Important: If you add new passwords, or update old ones, the runmqccred command only processes any plain text passwords, leaving your obfuscated ones untouched.


Debugging

The exit writes to the standard IBM MQ trace when that is enabled.

To assist in debugging configuration issues, the exit can also write directly to stdout.

No channel security exit data ( SCYDATA ) configuration is normally required for the channel. However, we can specify:

    ERROR
    Only print information abut error conditions, such as not being able to find the configuration file.

    DEBUG
    Displays these error conditions, and some additional trace statements.

    NOCHECKS
    Bypasses the constraints on file permissions, and the further constraint that the .ini file should not contain any unprotected passwords.

We can put one or more of these elements into the SCYDATA field, separated by commas, in any order. For example, SCYDATA=(NOCHECKS,DEBUG).

Note that the items are case-sensitive, and must be entered in uppercase.


Use mqccred

Once you have your file set up, we can invoke the channel exit by updating your client-connection channel definition to include the SCYEXIT('mqccred(ChlExit)') attribute:
DEFINE CHANNEL(channelname) CHLTYPE(clntconn) +
CONNAME(remote machine) +
QMNAME(remote qmgr) +
SCYEXIT('mqccred(ChlExit)') +
REPLACE


Related information