Access control for clients
Access control is based on user IDs. There can be many user IDs to administer, and user IDs can be in different formats. We can set the server-connection channel property MCAUSER to a special user ID value for use by clients.
Access control in IBM MQ is based on user IDs. The user ID of the process making MQI calls is normally used. For MQ MQI clients, the server-connection MCA makes MQI calls on behalf of MQ MQI clients. We can select an alternative user ID for the server-connection MCA to use for making MQI calls. The alternative user ID can be associated either with the client workstation, or with anything you choose to organize and control the access of clients. The user ID needs to have the necessary authorities allocated to it on the server to issue MQI calls. Choosing an alternative user ID is preferable to allowing clients to make MQI calls with the authority of the server-connection MCA.
Because the server-connection MCA makes MQI calls on behalf of remote users, it is important to consider the security implications of the server-connection MCA issuing MQI calls on behalf of remote clients and how to administer the access of a potentially large number of users.
Table 1. The user ID used by a server-connection channel User ID When used The user ID that is set by a security exit Used unless blocked by a CHLAUTH TYPE(BLOCKUSER) rule. See the following section, Set the user ID in a security exit for more information. The user ID that is set by a CHLAUTH rule Used unless over-ridden by a security exit. See Channel Authentication Records for more information. The user ID that is defined in the MCAUSER attribute in the SVRCONN channel definition Used unless over-ridden by a security exit or a CHLAUTH rule. The user ID that is flowed from the client machine Used when no user ID is set by any other means. The user ID that started the server-connection channel Used when no user ID is set by any other means and no client user ID is flowed. See the following section, The user ID that runs the channel program for more information.
- One approach is for the server-connection MCA to issue MQI calls on its own authority. But beware, it is normally undesirable for the server-connection MCA, with its powerful access capabilities, to issue MQI calls on behalf of client users.
- Another approach is to use the user ID that flows from the client. The server-connection MCA can issue MQI calls using the access capabilities of the client user ID. This approach presents a number of questions to consider:
- There are different formats for the user ID on different platforms. This sometimes causes problems if the format of the user ID on the client differs from the acceptable formats on the server.
- There are potentially many clients, with different, and changing user IDs. The IDs need to be defined and managed on the server.
- Is the user ID to be trusted? Any user ID can be flowed from a client, not necessarily the ID of the logged on user. For example, the client might flow an ID with full mqm authority that was intentionally only defined on the server for security reasons.
- The preferred approach is to define client identification tokens at the server, and so limit the capabilities of client connected applications. This is typically done by setting the server-connection channel property MCAUSER to a special user ID value to be used by clients, and defining few IDs for use by clients with different level of authorization on the server.
Set the user ID in a security exit
For IBM MQ MQI clients, the process that issues the MQI calls is the server-connection MCA. The user ID used by the server-connection MCA is contained in either the MCAUserIdentifier or LongMCAUserIdentifier fields of the MQCD. The contents of these fields are set by:The security exit can override the values that are visible to it, when it is invoked.
- Any values set by security exits
- The user ID from the client
- MCAUSER (in the server-connection channel definition)
- If the server-connection channel MCAUSER attribute is set to nonblank, the MCAUSER value is used.
- If the server-connection channel MCAUSER attribute is blank, the user ID received from the client is used.
- If the server-connection channel MCAUSER attribute is blank, and no user ID is received from the client then the user ID that started the server-connection channel is used.
The IBM MQ client does not flow the asserted user ID to the server when a client-side security exit is in use.
The user ID that runs the channel program
When the user ID fields are derived from the user ID that started the server-connection channel, the following value is used:
- For z/OSĀ®, the user ID assigned to the channel initiator started task by the z/OS started procedures table.
- For TCP/IP (non- z/OS ), the user ID from the inetd.conf entry, or the user ID that started the listener.
- For SNA (non- z/OS ), the user ID from the SNA Server entry or (if there is none) the incoming attach request, or the user ID that started the listener.
- For NetBIOS or SPX, the user ID that started the listener.
If any server-connection channel definitions exist that have the MCAUSER attribute set to blank, clients can use this channel definition to connect to the queue manager with access authority determined by the user ID supplied by the client. This might be a security exposure if the system on which the queue manager is running allows unauthorized network connections. The IBM MQ default server-connection channel (SYSTEM.DEF.SVRCONN) has the MCAUSER attribute set to blank. To prevent unauthorized access, update the MCAUSER attribute of the default definition with a user ID that has no access to IBM MQ MQ objects.
Case of user IDs
When you define a channel with runmqsc, the MCAUSER attribute is changed to uppercase unless the user ID is contained within single quotation marks.
For servers on UNIX, Linux , and Windows, the content of the MCAUserIdentifier field that is received from the client is changed to lowercase.
For servers on IBM i, the content of the LongMCAUserIdentifier field that is received from the client is changed to uppercase.
For servers on UNIX and Linux systems, the content of the LongMCAUserIdentifier field that is received from the client is changed to lowercase.
By default, the user ID that is passed when a MQ JMS binding application is used, is the user ID for the JVM the application is running on.
It is also possible to pass a user ID via the createQueueConnection method.