Capitalware has an MQ solution called MQ Authenticate User Security Exit (MQAUSX).
MQ Authenticate User Security Exit (MQAUSX) is a solution that allows a company to fully authenticate a user who is accessing an IBM MQ resource. It authenticates the user’s UserID and Password against the server’s native OS system, LDAP server, Microsoft’s Active Directory, Quest Authentication Services (QAS), Centrify’s DirectControl or an encrypted MQAUSX FBA file.
Recently, a customer asked for 2 enhancements to MQAUSX:
1. They asked to have the “Remote Product” and “Remote Version” fields from the MQCD structure be included on the log record outputted to the log file.
2. They asked to have the all of the SSL/TLS fields from both the MQCD and MQCXP structures be included on the log record outputted to the log file.
When MQAUSX is running with LogMode set to ‘N’ (Normal), the log record outputted to the log file looks like:
Connection accepted for MCA_UID="tester" UserID="tester" UserSpecifiedServer="" QMgr="MQA1" ChlName="TEST.EXIT" ConName="10.10.10.101" Server="" RemoteUserID="tester"
Long time ago, when I was first developing MQAUSX, one of the authentication targets included was Microsoft’s Active Directory for when the server-side component was running on a Windows server. Hence, MQAUSX has 2 keywords that control which Active Directory is the target for authentication: UseServerName and ServerName. A customer requested that the end-user be allowed to change the target AD server, so another keyword called AllowUserAlterServerName was added to MQAUSX. These 3 keywords are only used when MQAUSX server-side component is running on a Windows server.
As I was looking at the code add the new requests to MQAUSX, I realized that MQAUSX outputs the log record with UserSpecifiedServer and Server on all distributed platforms (AIX, HP-UX, Linux, IBM i, Solaris and Windows). But really, that information is only applicable on Windows. Hence, I have decided to exclude those fields on all platforms except for Windows. Since, a majority of customers do not use either AllowUserAlterServerName or UseServerName on Windows, if those keywords are set to ‘N’ then those fields will be excluded. Hence, the new the log record outputted to the log file will look like:
Connection accepted for MCA_UID="tester" UserID="tester" QMgr="MQA1" ChlName="TEST.EXIT" ConName="10.10.10.101" RemoteUserID="tester"
I also noticed that in the code for a rejected connection, sometimes the log record had “Connection failed” and in other instances it had “Connection rejected”. I decided to change all of them to “Connection rejected” for consistency.
MQAUSX will have 2 new keywords to support the customer’s request:
- LogRemoteClientInfo
- LogClientSSLInfo
When LogRemoteClientInfo is set to ‘Y’ then RemoteProduct and RemoteVersion fields from MQCD structure will be added to the log record written to the log file.
Note: The RemoteProduct and RemoteVersion fields are available on IBM MQ v8.0 or higher.
i.e.
Connection accepted for MCA_UID="tester" UserID="tester" QMgr="MQA1" ChlName="TEST.EXIT" ConName="10.10.10.101" RemoteUserID="tester" RemoteProduct="MQCC" RemoteVersion="09030100"
When LogClientSSLInfo is set to ‘Y’ then SSLCertUserid* and SSLRemCertIssName fields (from MQCD structure) and SSLCipherSpec, SSLPeerName, SSLClientAuth and CertificateLabel fields (from MQCXP structure) will be added to the log record written to the log file.
Note #1: The SSLCertUserid, SSLRemCertIssName, SSLCipherSpec, SSLPeerName and SSLClientAuth fields are available on WebSphere MQ (aka IBM MQ) v6.0 or higher. The CertificateLabel field is available on IBM MQ v8.0 or higher.
*Note #2: The SSLCertUserid field is only available when MQAUSX for z/OS is running on a z/OS (mainframe) queue manager.
i.e. Distrbuted platforms:
Connection accepted for MCA_UID="tester" UserID="tester" QMgr="MQA1" ChlName="TEST.EXIT" ConName="10.10.10.101" RemoteUserID="tester" SSLRemCertIssName="" SSLCipherSpec="" SSLPeerName="" SSLClientAuth="Optional" CertificateLabel=""
i.e. z/OS
Connection accepted for MCA_UID="tester" UserID="tester" QMgr="MQA1" ChlName="TEST.EXIT" ConName="10.10.10.101" RemoteUserID="tester" SSLCertUserid="" SSLRemCertIssName="" SSLCipherSpec="" SSLPeerName="" SSLClientAuth="Optional" CertificateLabel=""
If anyone would like to test out the latest release then send the email to support@capitalware.com
Regards,
Roger Lacroix
Capitalware Inc.
