Connection authentication with the Java client

Connection authentication is a feature in IBM MQ that allows the queue manager to be configured to authenticate applications, using a provided user ID and password. When the application is a Java application that is using client bindings, connection authentication can be run in compatibility mode or MQCSP authentication mode.

Compatibility mode

Before IBM MQ Version 8.0, the Java client could send a user ID and password across the client-connection channel to the server-connection channel, and have them provided to a security exit in the RemoteUserIdentifier and RemotePassword fields of the MQCD structure. In compatibility mode, this behavior is retained.

We might use this mode in combination with connection authentication, and migrate away from any security exits that were previously used to do the same job.

We must use ADOPTCTX(YES) or have another method, for example a CHLAUTH rule based on a TLS certificate, to set the running MCAUSER when we are using compatibility mode, as in this mode, the client-side user ID is not sent to the queue manager.

The compatibility mode of operation can be enabled on a connection-by-connection basis or globally:

• In IBM MQ classes for Java, set the property MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY to false in the properties hashtable that is passed to the com.ibm.mq.MQQueueManager constructor.
• In IBM MQ classes for JMS, set the property JmsConstants.USER_AUTHENTICATION_MQCSP to false, on the appropriate connection factory before creating the connection.
• Globally, specify the Java system property -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=false on the command line when starting the application, as shown in the following example:

  java -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=false application_name

Compatibility mode is the default setting.

MQCSP authentication mode

In this mode, the client-side user ID is sent as well as the user ID and password to be authenticated, so we are able to use ADOPTCTX(NO). The user ID and password are available to a server-connection security exit in the MQCSP structure that is provided in the MQCXP structure.

This mode of operation can be enabled on a connection-by-connection basis or globally:

• In IBM MQ classes for Java, set the property MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY to true in the properties hashtable that is passed to the com.ibm.mq.MQQueueManager constructor.
• In IBM MQ classes for JMS, set the property JmsConstants.USER_AUTHENTICATION_MQCSP to true, on the appropriate connection factory before creating the connection.
• Globally, set the system property com.ibm.mq.cfg.jmqi.useMQCSPauthentication to a value indicating true, for example, by adding -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=Y to the command line.

Choose authentication mode in IBM MQ Explorer

The IBM MQ Explorer is a Java application, so these two modes, compatibility mode and MQCSP authentication mode, are applicable to it as well.

From Version 9.1.0, MQCSP authentication mode is the default. Before Version 9.1, compatibility mode is the default.

On panels where user identification is provided, there is a check box to enable or disable compatibility mode:

• From Version 9.1.0, by default, this check box is not selected. To use compatibility mode, select this check box.
• Before Version 9.1.0, by default, this check box is enabled. To use MQCSP authentication, clear the check box.

Related concepts

• Connection authentication
• Connection authentication: Application changes
• Connection authentication: User repositories