MQAUSX without a Client-side Security Exit – Part 1

Quite often I get asked if MQAUSX can authenticate a UserID and Password without the requirement of a client-side security exit. The answer is yes. MQAUSX is actually 3 products in one:

1. If the client application is configured with the client-side security exit then the user credentials are encrypted and sent across the wire to the remote queue manager. This is the best level of security.

2. If the client application is not configured with the client-side security exit then the user credentials are sent in plain text to the remote queue manager. This feature is available for Java/JMS, Java and C# DotNet client applications. For native applications (i.e. C/C++), then the application must use and populate the MQCSP structure with the UserID and Password.

3. If the MQAdmin sets the MQAUSX IniFile parameter NoAuth to Y then it functions just like MQSSX. MQSSX does not authenticate. It filters the incoming connection based on UserID, IP address and/or SSL DN.

Here are some simple programming examples where MQ will send the client supplied UserID and Password to the remote queue manager in plain text:

1. WebSphere MQ base Java

MQEnvironment.hostname = "10.10.10.10(1414)";
MQEnvironment.channel = "SYSTEM.DEF.SVRCONN";
MQEnvironment.userID = "roger";
MQEnvironment.password = "mypswd";
MQQueueManager _qMgr = new MQQueueManager("TESTQM");

2. WebSphere MQ base JMS

mqQCF = new MQQueueConnectionFactory();
mqQCF.setQueueManager("TESTQM");
mqQCF.setHostName("10.10.10.10(1414)");
mqQCF.setChannel("SYSTEM.DEF.SVRCONN");
mqQCF.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
conn = mqQCF.createQueueConnection("roger", "mypswd");

3. C# .Net

MQEnvironment.Hostname = “10.10.10.10(1414)”;
MQEnvironment.Channel = “SYSTEM.DEF.SVRCONN”;
MQEnvironment.UserId = “roger”;
MQEnvironment.Password = “mypswd”;
MQQueueManager _qMgr = new MQQueueManager(“TESTQM”);

4. C

char QMName[MQ_Q_MGR_NAME_LENGTH+1] = "TESTQM";
char UserId[64] = "roger";
char Password[64] = "mypswd";

strncpy(ClientConn.ConnectionName, "10.10.10.10(1414)", MQ_CONN_NAME_LENGTH);
strncpy(ClientConn.ChannelName, "SYSTEM.DEF.SVRCONN", MQ_CHANNEL_NAME_LENGTH);
mqCSP.AuthenticationType = MQCSP_AUTH_USER_ID_AND_PWD;
mqCSP.CSPUserIdPtr = &UserId;
mqCSP.CSPUserIdLength = strlen(UserId);
mqCSP.CSPPasswordPtr = &Password;
mqCSP.CSPPasswordLength = strlen(Password);
ConnectOptions.SecurityParmsPtr = &mqCSP;
ConnectOptions.ClientConnPtr = &ClientConn;
ConnectOptions.Version = MQCNO_VERSION_2;
MQCONNX (QMName, &ConnectOptions, &HConn, &CompCode, &Reason);

5. C++

pchannel = new ImqChannel;
pchannel -> setConnectionName("10.10.10.10(1414)");
pchannel -> setChannelName("SYSTEM.DEF.SVRCONN");
pchannel -> setTransportType( MQXPT_TCP );
pchannel -> setUserId( "roger" );
pchannel -> setPassword( "mypswd" );
mgr.setName(QMName);
mgr.setChannelReference( pchannel );
if ( mgr.connect( ) )
{
}

As you can see, it is easy to set a UserID and Password for a client connection to a remote queue manager. When the MQAUSX server-side component receives a plain text UserID and Password, it is authenticated against whatever target the MQAdmin has setup (i.e. Local OS, LDAP, etc..)

In part 2, I will show you how to configure applications like MQ Explorer, MQMon (SupportPac MO71), etc.. to send a UserID and Password in plain text to a remote queue manager for authentication by MQAUSX.

Regards,
Roger Lacroix
Capitalware Inc.

This entry was posted in .NET, C, C++, Capitalware, Java, JMS, MQ, MQ Authenticate User Security Exit, Programming, Security.

Comments are closed.