Plan authentication for a client application
We can apply authentication controls at four levels: at the communications level, in security exits, with channel authentication records, and in terms of the identification that is passed to a security exit.
There are four levels of security to consider. The diagram shows an IBM MQ MQI client that is connected to a server. Security is applied at four levels, as described in the following text. MCA is a Message Channel Agent.- Communications level
See arrow 1. To implement security at the communications level, use TLS. For more information, see Cryptographic security protocols: TLS
- Channel authentication records
See arrows 2 & 3. Authentication can be controlled by using the IP address or TLS distinguished names at the security level. A user ID can also be blocked or an asserted user ID can be mapped to a valid user ID. A full description is given in Channel authentication records.
- Connection authentication
See arrow 3. The client sends an ID and a password. For more information, see Connection authentication: Configuration.
- Channel security exits
See arrow 2. The channel security exits for client to server communication can work in the same way as for server to server communication. A protocol independent pair of exits can be written to provide mutual authentication of both the client and the server. A full description is given in Channel security exit programs.
- Identification that is passed to a channel security exit
See arrow 3. In client to server communication, the channel security exits do not have to operate as a pair. The exit on the IBM MQ client side can be omitted. In this case, the user ID is placed in the channel descriptor (MQCD) and the server-side security exit can alter it, if required.
Windows clients also send extra information to assist identification.- The user ID that is passed to the server is the currently logged-on user ID on the client.
- The security ID of the currently logged-on user.
To assist identification on IBM MQ client for HP Integrity NonStop Server, the client passes the OSS Safeguard alias under which the client application is running. This ID is typically of the form PRIMARYGROUP.ALIAS. If required, we can map this user ID to an alternative user ID on the queue manager by using either channel authentication records or a security exit. For more information about message exits, see Identity mapping in message exits. For more information about defining channel authentication records, see Mapping a client user ID to an MCAUSER user ID.
The values of the user ID and, if available, the security ID, can be used by the server security exit to establish the identity of the IBM MQ MQI client.
From IBM MQ Version 8.0, we can send passwords that are included in the MQCSP structure.
Warning: In some cases, the password in an MQCSP structure for a client application will be sent across a network in plain text. To ensure that client application passwords are protected appropriately, see MQCSP password protection.