Securing AMQP clients
You use a range of security mechanisms to secure connections from AMQP clients and ensure data is suitably protected on the network. We can build security into your MQ Light applications. We can also use existing security features of IBM MQ with AMQP clients, in the same way that the features are used for other applications.
Channel authentication rules (CHLAUTH)
We can use channel authentication rules to restrict the TCP connections to a queue manager. AMQP channels support the use of channel authentication rules that you configure for the queue manager. If channel authentication rules are defined with a profile that matches any AMQP channels on your queue manager, these rules are applied to those channels. By default, channel authentication is enabled on new IBM MQ queue managers so we must complete at least some configuration before you can use an AMQP channel.
For more information about how to configure channel authentication rules to allow AMQP connections to your queue manager, see Create and using AMQP channels.
Connection authentication (CONNAUTH)
We can use connection authentication to authenticate connections to a queue manager. AMQP channels support the use of connection authentication to control access to the queue manager from AMQP applications.
The AMQP protocol uses the SASL (Simple Authentication and Security Layer) framework to specify how a connection is authenticated. There are various SASL mechanisms and IBM MQ supports two SASL mechanisms: ANONYMOUS and PLAIN.
In the case of ANONYMOUS, no credentials are passed from the client to the queue manager for authentication. If the MQ AUTHINFO object specified in the CONNAUTH attribute has a CHCKCLNT value of REQUIRED or REQDADM (if connecting as an administrative user), the connection is refused. If the value of CHCKCLNT is NONE or OPTIONAL, the connection is accepted.
In the case of PLAIN, a user name and password are passed from the client to the queue manager for authentication. If the MQ AUTHINFO object specified in the CONNAUTH attribute has a CHCKCLNT value of NONE, the connection is refused. If the value of CHCKCLNT is OPTIONAL, REQUIRED, or REQDADM (if connecting as an administrative user), the user name and password is checked by the queue manager. The queue manager checks the operating system (if the AUTHINFO object is of type IDPWOS) or an LDAP repository (if the AUTHINFO object is of type IDPWLDAP).
The following table summarizes this authentication behavior:| SASL mechanism | Credentials passed from client to queue manager? | CHKCLNT value |
|---|---|---|
| ANONYMOUS | No |
REQUIRED or REQDADM - connection refused NONE or OPTIONAL - connection accepted |
| PLAIN | Yes, user name and password |
REQUIRED, REQDADM, or OPTIONAL - user name and password checked by the queue manager NONE - connection refused |
amqp://mwhitehead:mYp4ssw0rd@localhost:5672/sports/football
MCAUSER setting on a channel
AMQP channels have an MCAUSER attribute, which we can use to set the IBM MQ user ID that all connections to that channel are authorized under. All connections from AMQP clients to that channel adopt the MCAUSER ID you have configured. That user ID is used for authorization of messaging on different topics.
You are recommended to use channel authentication (CHLAUTH) to secure connections to queue managers. If we are using channel authentication, we are recommended to configure the value of MCAUSER to a non-privileged user. This ensures that if a connection to a channel is not matched by a CHLAUTH rule, the connection is not authorized to perform any messaging on the queue manager.
Note: On Windows, before IBM MQ Version 9.1.1, the MCAUSER user ID setting is only supported for user IDs up to 12 characters in length. From Version 9.1.1 Continuous Delivery, and from Version 9.2.0 Long Term Support, the 12 character limit is removed.SSL/TLS support
AMQP channels support SSL/TLS encryption using keys from the key repository configured for the queue manager. AMQP channel configuration options for SSL/TLS encryption support the same options as other types of MQ channel; we can specify a cipher specification and whether the queue manager requires certificates from AMQP client connections.
By using the FIPS attributes of the queue manager we can control the SSL/TLS cipher suites, which we can use to secure connections from AMQP clients.
For information about how to set up a key repository for the queue manager see Work with SSL or TLS on UNIX, Linux and Windows systems.
For information about how to configure SSL/TLS support for an AMQP client connection, see Create and using AMQP channels.
Java Authentication and Authorization Service (JAAS)
We can optionally configure AMQP channels with a JAAS login module, which can check the user name and password provided by an AMQP client. See Configure JAAS for AMQP channels.
- Restricting AMQP client takeover
When an AMQP client connection is made that has the same client identifier as an existing AMQP client connection, the existing client connection is disconnected by default. However, we can configure the queue manager to restrict the client takeover behavior so that takeover is possible only when certain criteria are met. - Configure JAAS for AMQP channels
Java Authentication and Authorization Service (JAAS) custom modules can be used to authenticate username and password credentials passed to an AMQP channel by an AMQP client when it connects.
Parent topic: Securing IBM MQ
Related information