This is an update to a posting I made last year which includes new features in MQAUSX & z/MQAUSX and updates made to MQ V8 via Fix Packs.
The following is a comparison of Capitalware’s MQ Authenticate User Security Exit (MQAUSX) to IBM’s MQ V8 new authentication feature. By authentication, I mean UserId and Password authentication against a target system (i.e. Local OS, LDAP, etc.).
| Authentication | IBM MQ V8 | MQAUSX & z/MQAUSX |
| Authentication against Local OS | Yes | Yes |
| Authentication against LDAP Server | Yes | Yes |
| Authentication against LDAP Server using SSL | Yes | Yes |
| Authentication against MS Active Directory from Windows | No | Yes |
| Number of LDAP calls to perform Authentication | 2 | 1* |
| Authentication against Quest Authentication Services | No | Yes |
| Authentication against Centrify’s DirectControl | No | Yes |
| Authentication against PAM | Yes** | Yes |
| Authentication against RACF – z/OS only | Yes | Yes |
| Authentication against ACF2 – z/OS only | Yes | Yes |
| Authentication against TopSecret – z/OS only | Yes | Yes |
| Authentication against File Based Authentication | No | Yes |
| Ability to use more than 1 authentication type per Queue Manager | No | Yes |
| Ability to set authentication order | No | Yes |
| Group Functionality | IBM MQ V8 | MQAUSX & z/MQAUSX |
| Only allow the connection if the UserId exists in a particular LDAP Group | No | Yes |
| Only allow the connection if the UserId exists in a particular Local OS Group | No | Yes |
| Only allow the connection if the UserId exists in a particular File-based Group | No | Yes |
| Control Functionality | IBM MQ V8 | MQAUSX & z/MQAUSX |
| Assign a Password to a Queue Manager | No | Yes |
| Credential Caching | No | Yes |
| Allow/Reject by IP Address | Yes | Yes |
| Allow/Reject by Hostname (DNS) | Yes | Yes |
| Allow/Reject by Host by Name | No | Yes |
| Allow/Reject by SSL DN | Yes | Yes |
| Allow/Reject by UserId | Yes | Yes |
| Allow/Reject by MS Active Directory Name | No | Yes |
| Ability to Reject Self Signed Certificates | No | Yes |
| Limit the number of connections by Channel | Yes | Yes |
| Ability to secure cluster channels | Yes | Yes |
| Mapping Functionality | IBM MQ V8 | MQAUSX & z/MQAUSX |
| Map incoming UserID to another UserId to be used as the connection MCAUSER value | Yes | Yes |
| Map SSL UserId to the connection MCAUSER value | Yes | Yes |
| Map the channel’s SSLCertUserID to the connection MCAUSER value – z/OS only | No | Yes |
| Logging Functionality | IBM MQ V8 | MQAUSX & z/MQAUSX |
| Logging (& alerting) of Excessive Client Connections | No | Yes |
| Generate an alert when number of connections by Channel reaches a certain percentage | No | Yes |
| Logging of successful connections | Partial | Yes |
| Logging of failed connection attempts | Yes | Yes |
| Write event message for failed connection attempts | Yes*** | Yes |
* A single LDAP API call is used for a standard LDAP v3 server. MQAUSX will issue 2 LDAP API calls to Microsoft Active Directory as an LDAP server.
** Requires MQ v8 with Fix Pack 3 or higher
*** Event messages must be enabled first.
MQ V8 offers basic UserId and Password authentication and control over access granted to an incoming connection (CHLAUTH) whereas MQAUSX offers a robust solution that includes authentication to a variety of different targets and a wide variety of secondary features to control incoming connections.
I hope the above information is useful.
Regards,
Roger Lacroix
Capitalware Inc.
