Use the Pluggable Authentication Method (PAM)

We can use PAM only on UNIX and Linux platforms. A typical UNIX system has PAM modules that implement the traditional authentication mechanism; however, there might be more. As well as the basic task of validating passwords, PAM modules can also be invoked to carry out additional rules.

Configuration files define which authentication method is to be used for each application . Example applications include the standard terminal login, ftp, and telnet.

The advantage of PAM is that the application does not need to know, or care about, how the user ID is actually being authenticated. As long as the application can provide a correct form of authentication data to PAM, the mechanism behind it is transparent.

The form of authentication data depends upon the system being used. For example, IBM MQ obtains a password through parameters, such as the MQCSP structure used in the MQCONNX API call.

Important: We cannot set the AUTHENMD attribute until you install IBM MQ Version 8.0.0, Fix Pack 3, and then restart the queue manager, using a -e CMDLEVEL=level of 802 (on the strmqm command) to set the command level you require.

Configure the system to use PAM

The service name used by IBM MQ, when invoking PAM, is ibmmq.

Note that an IBM MQ installation attempts to maintain a default PAM configuration, that permits connections from operating system users, based on known defaults for the different operating systems.

However, the system administrator must verify that rules defined in the /etc/pam.conf, or /etc/pam.d/ibmmq, files are still appropriate.

Parent topic: Identifying and authenticating users