+

Search Tips | Advanced Search

MQCSP password protection

From IBM MQ Version 8.0, we can send passwords that are included in the MQCSP structure either protected, by using IBM MQ functionality, or encrypted, by using TLS encryption.

MQCSP password protection is useful for test and development purposes as using MQCSP password protection is simpler than setting up TLS encryption, but not as secure. For production purposes, you should use TLS encryption in preference to IBM MQ password protection, especially when the network between the client and queue manager is untrusted, as TLS encryption is more secure.

If you are concerned precisely what encryption is being used, and how much protection it offers, you need to use full TLS encryption. In this situation, the algorithms are publicly known, and you can select the appropriate one for your enterprise by using the SSLCIPH channel attribute.

For more information about the MQCSP structure, see MQCSP structure.

Password protection is used when all of the following conditions are met:

If these conditions are not met, the password is sent in plain text unless prohibited by the PasswordProtection configuration setting.


The PasswordProtection configuration setting

The PasswordProtection attribute in the Channels section of the client and queue manager .ini configuration files can prevent passwords from being sent in plain text. The attribute can take 1 of 3 values. The default value is compatible:

For Java and JMS clients, the behavior of the PasswordProtection attribute changes dependent on the choice of using compatibility mode or MQCSP mode:

For more information about connection authentication with Java and JMS clients, see Connection authentication with the Java client.