MQCSP password protection
From IBM MQ Version 8.0, we can send passwords that are included in the MQCSP structure either protected, by using IBM MQ functionality, or encrypted, by using TLS encryption.
MQCSP password protection is useful for test and development purposes as using MQCSP password protection is simpler than setting up TLS encryption, but not as secure. For production purposes, we should use TLS encryption in preference to IBM MQ password protection, especially when the network between the client and queue manager is untrusted, as TLS encryption is more secure.
If we are concerned precisely what encryption is being used, and how much protection it offers, we need to use full TLS encryption. In this situation, the algorithms are publicly known, and you can select the appropriate one for the enterprise by using the SSLCIPH channel attribute.
For more information about the MQCSP structure, see MQCSP structure.
Password protection is used when all of the following conditions are met:
- Both ends of the connection are using IBM MQ Version 8.0, or later.
- The channel is not using TLS encryption. A channel is not using TLS encryption if the channel has a blank SSLCIPH attribute, or the SSLCIPH attribute is set to a CipherSpec that does not provide encryption. Null ciphers, for example, NULL_SHA, do not provide encryption.
- You set MQCSP.AuthenticationType to MQCSP_AUTH_USER_ID_AND_PWD. Setting this value enables more checks to be evaluated to decide whether password protection is done. The default value of MQCSP.AuthenticationType is MQCSP_AUTH_NONE. With the default setting, no password protection is done. For more information, see AuthenticationType.
- If the client is IBM MQ Explorer and user identification compatibility mode is not enabled, which is not the default. This condition is applicable only to IBM MQ Explorer.
If these conditions are not met, the password is sent in plain text unless prohibited by the PasswordProtection configuration setting.
The PasswordProtection configuration setting
The PasswordProtection attribute in the Channels section of the client and queue manager .ini configuration files can prevent passwords from being sent in plain text. The attribute can take one of the following values. The default value is compatible:
- compatible
- The password can be sent in plain text if either the queue manager or client is running a version of IBM MQ earlier than Version 8.0. That is, plain text passwords are allowed for compatibility.
- always
- The password must be either encrypted with a CipherSpec that is not a null CipherSpec, or MQCSP.AuthenticationType must be set to MQCSP_AUTH_USER_ID_AND_PWD. Otherwise, the connection fails. That is, plain text passwords are not allowed.
- optional
- The password can optionally be sent protected, but is sent in plain text if MQCSP.AuthenticationType is not set to MQCSP_AUTH_USER_ID_AND_PWD. That is, plain text passwords are allowed to be sent by any client.
- warn
- Plain text passwords are allowed to be sent by any client. If a plain text password is received a warning message (AMQ9297) is written to the queue manager error logs.
For Java and JMS clients, the behavior of the PasswordProtection attribute changes dependent on the choice of using compatibility mode or MQCSP mode:
- If Java and JMS clients are operating in compatibility mode, an MQCSP structure is not flowed during connection processing. Therefore, the behavior of the PasswordProtection attribute is the same behavior as described for clients that are running a version of IBM MQ earlier than Version 8.0.
- If Java and JMS clients are operating in MQCSP mode, the behavior of the PasswordProtection attribute is the behavior as described.
For more information about connection authentication with Java and JMS clients, see Connection authentication with the Java client. Parent topic: TLS security protocols in IBM MQ