MQAUSX without a Client-side Security Exit – Part 2

As mentioned in Part 1, I often get asked if MQAUSX can authenticate a UserID and Password without the requirement of a client-side security exit. The answer is yes.

Part 1 demonstrated how to set a UserID and Password for a client connection to a remote queue manager via code samples (i.e. C, C++, C#, Java & JMS). Part 1 can be found here.

Part 2 will show you how to configure applications like MQ Explorer, MQ Visual Edit, MQ Visual Browse, MQMon (SupportPac MO71), etc.. to send a UserID and Password in plain text to a remote queue manager for authentication by MQAUSX.

Very Important
Most people do not realize that the queue manager uses the UserID for authorization ONLY and it throws away the password. The queue manager does NOT call the Local OS (or RACF on the mainframe) for authentication. Yes, it does an authorization check of the UserID against OAM for distributed platforms or RACF (or ACF) for mainframe but not authentication. Now if there is a security exit defined (i.e. MQAUSX) then the UserID and Password are passed to it and it is up to the security exit to perform the authentication.

MQ Visual Edit/MQ Visual Browse
In MQ Visual Edit/MQ Visual Browse, open the Queue Manager Access Profile window for the particular queue manager and fill in the UserID and Password then click Save to save the information.

Now when the user connects to the queue manager, MQ Visual Edit/MQ Visual Browse will use the saved UserID and Password for the connection.

MQ Batch Toolkit
In MQ Batch Toolkit, the AddProfile function allows the user to specify a UserID and Pasword for the Queue Manager Access Profile or the user can use the AlterProfile function to update a profile with the UserID and Password.
i.e.
mqbt AddProfile -p MQWT1 -m MQWT1 -c MY.TEST.EXIT -h 127.0.0.1 -n 1415 -u tester -w mypwd

Now when the user connects to the queue manager, MQ Batch Toolkit will use the saved UserID and Password for the connection.

MQ Channel Monitor
In MQ Channel Monitor, follow the instructions in the manual and add the XML tags called UserID and Password to the MQ XML file.

&lt;?xml version="1.0" encoding="ISO-8859-1"?&gt;
&lt;!DOCTYPE MQCM_MQ SYSTEM "MQCM_MQ.dtd"&gt;
&lt;MQCM_MQ&gt;
&lt;QMgrName&gt;MQWT1&lt;/QMgrName&gt;
&lt;Hostname&gt;127.0.0.1&lt;/Hostname&gt;
&lt;ChannelName&gt;MY.TEST.EXIT&lt;/ChannelName&gt;
&lt;Port&gt;1415&lt;/Port&gt;
&lt;UserID&gt;tester&lt;/UserID&gt;
&lt;Password&gt;mypwd&lt;/Password&gt;
&lt;RefreshRate&gt;10&lt;/RefreshRate&gt;
&lt;MonitorChannelName&gt;*&lt;/MonitorChannelName&gt;
&lt;/MQCM_MQ&gt;

Now when the user connects to the queue manager, MQ Channel Monitor will use the saved UserID and Password for the connection.

MQ File Mover
In MQ File Mover, follow the instructions in the manual and add the XML tags called UserID and Password to the MQ XML file.

&lt;?xml version="1.0" encoding="ISO-8859-1"?&gt;
&lt;!DOCTYPE MQFM_MQ SYSTEM "MQFM_MQ.dtd"&gt;
&lt;MQFM_MQ&gt;
&lt;QMgrName&gt;MQWT1&lt;/QMgrName&gt;
&lt;Hostname&gt;127.0.0.1&lt;/Hostname&gt;
&lt;ChannelName&gt;MY.TEST.EXIT&lt;/ChannelName&gt;
&lt;Port&gt;1415&lt;/Port&gt;
&lt;UserID&gt;tester&lt;/UserID&gt;
&lt;Password&gt;mypwd&lt;/Password&gt;
&lt;/MQFM_MQ&gt;

Now when the user connects to the queue manager, MQ File Mover will use the saved UserID and Password for the connection.

MQ Explorer
Setting a UserID and Password in MQ Explorer, is only available in version 7.0.0.0 or higher. It is not available in version 6. In MQ Explorer v7, right click on the queue manager name, click Connection Details and click Properties. Select Userid in the left panel of the Properties window, fill in the UserID and Password then click OK to save the information.

Now when the user connects to the queue manager, they will be prompted for the Password.

SupportPac MO71
In SupportPac MO71 (aka MQMon), right click on the queue manager name and click Open Location. Make sure the Client and Userid checkboxes have been selected then click the OK to save the information.

Now when the user connects to the queue manager, they will be prompted for the UserID and Password.

QueueZee
In QueueZee, right click on the queue manager name, click Properties and fill in the UserID and Password then click OK to save the information.

Now when the user connects to the queue manager, QueueZee will use the saved UserID and Password for the connection.

WMQTool
In WMQTool, right click on the Root element and select “Add Queue Manager”. On the Queue Manager Connection Information window, fillin the UserID and Password fields and then click OK. Now when the user connects to the queue manager, WMQTool will use the saved UserID and Password for the connection.

SupportPac IH03
SupportPac IH03 (aka rfhutilc) is a very popular SupportPac but I have not been able to figure out how to configure it to send a UserID and Password in plain text to a remote queue manager for authentication by MQAUSX. I followed the documentation: clicked ‘Set Conn Id’ button inputted the UserID and Password on the popup window and then clicked OK. But every time I try and use the ‘ReadQ’ button, I receive an error (RC=2538). When I checked the MQAUSX server-side component, it shows that no MQCSP structure was sent (Passwords must be sent via MQCSP structure). If anyone knows how to make this work, then please let me know.

Regards,
Roger Lacroix
Capitalware Inc.

M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

MQAUSX without a Client-side Security Exit – Part 2

Recent Posts

Blog Calendar

Capitalware

Archives

Categories

IBM MQ

WebSphere MQ

IBM Developer Messaging Blog

T.Rob’s Store and Forward

Mark Taylor’s Blog

Lyns Random Thoughts

Leif Davidsen’s Blog

Colin Paice on MQ

StackOverflow MQ Questions

StackOverflow MQTT Questions