I have been researching various ways of increasing the security that MQ Authenticate User Security Exit (MQAUSX) could apply when a client application connects to an MQ queue manager.
I have been doing a lot of reading on factors of authentication. i.e. Something you know, Something you have, and Something you are. Two-factor and multi-factor authentication are great when the system is protecting an end-user from hackers logging into their account. The problem is that only 5% (or less) of the connection attempts that MQAUSX processes are from actual people. 95% (or more) of the connection attempts are from back-end applications. Hence, having the back-end application use a chip-card or RSA fob is just not possible nor is the use of biometrics (fingerprint or voice print). I’ll really become worried when a back-end application has a voice or finger!!!!
So I was having a tuff time trying to figure out what could be done, added or extended, so that MQAUSX could provide a higher-level of security when a back-end application and/or an end-user makes a connection attempt to a queue manager. Currently, the application or user logs on with their UserID and Password and MQAUSX authenticates those credentials against the target system which the MQAdmin has previously defined. i.e. Local OS system, LDAP server, Microsoft’s Active Directory, Quest Authentication Services (QAS), Centrify’s DirectControl or an encrypted MQAUSX FBA file.
So, last week while staring at the MQAUSX client-side logon screen, it occurred to me that one way to add an extra layer of security to the standard UserID and Password would be to also require a Password for the queue manager. An MQAdmin could define a Password for a queue manager via the MQAUSX configuration file (it would be encrypted of course). So, when enabled, a back-end application and/or end-user would need to not only know their UserID and Password but also the queue manager’s Password to successfully log in.
Defining and requiring a queue manager Password in MQAUSX is like adding perimeter security to your system or putting your valuables in a safe and putting that safe in another safe. 🙂
I have done the coding and been beta testing it this past week. I have been doing lots and lots of testing, so that the latest release is backwards compatible with older releases of MQAUSX. Obviously, if you want to use the new feature then both the server-side and client-side needs to be at the latest release of MQAUSX.
If you would like to try out the new feature then send an email to
support@capitalware.com and we will send you the latest release of MQAUSX or z/MQAUSX.
Regards,
Roger Lacroix
Capitalware Inc.
