WebSphere MQ access control and Windows principals

 

The access control that WebSphere MQ provides is based on the user and group. The authentication that Windows provides is based on principals, such as user and servicePrincipalName (SPN). In the case of servicePrincipalName, there might be many of these associated with a single user.

The SSPI security exit uses the relevant Windows principals for authentication. If Windows authentication is successful, the exit passes the user ID that is associated with the Windows principal to WebSphere MQ for access control.

The Windows principals that are relevant for authentication vary, depending on the type of authentication used.

• For NTLM authentication, the Windows principal for Context Initiator is the user ID associated with the process that is running. Because this authentication is one-way, the principal associated with the Context Acceptor is irrelevant.

• For Kerberos authentication, on CLNTCONN channels, the Windows principal is the user ID associated with the process that is running. Otherwise, the Windows principal is the servicePrincipalName that is formed by adding the following prefix to the QueueManagerName.

  ibmMQSeries/

 

Parent topic:

Introduction to security exits

fg16750_