Roger's Blog on MQ, Java, C, etc… | A blog about IBM MQ, Java, C and other things developers or MQAdmins need to know.

MQAUSX Explained or Better Explained

June 1, 2018 Roger Lacroix

Every once in a while, I get requests to explain what/how MQ Authenticate User Security Exit (MQAUSX) and/or MQ Authenticate User Security Exit for z/OS (z/MQAUSX) work.

If the client application is configured with the MQAUSX client-side security exit then the user credentials are encrypted and sent to the remote queue manager. This is the best level of security.
If the client application is not configured with the client-side security exit and both the client-side AND server-side are at MQ V8 or higher then MQ V8 (or higher) will encrypt the user credentials as they flow from the client application to the queue manager. Note: There has been a lot of discussions about the effectiveness of MQ encrypting the user credentials. Even IBM’s position has changed and they do not recommend using MQ user credential encryption for production environments.
If the client application is not configured with the client-side security exit then the user credentials are sent in plain text to the remote queue manager. This feature is available for Java/JMS, Java and C# DotNet client applications. For native applications (i.e. C/C++), then the application must use and populate the MQCSP structure with the UserID and Password.
If the MQAdmin sets the MQAUSX IniFile parameter NoAuth to Y then it functions just like MQSSX. MQSSX does not authenticate. It filters the incoming connection based on UserID, IP address, hostname and/or SSL DN.

Server’s native OS system (Local OS)
Remote LDAP server
Microsoft’s Active Directory
Quest Authentication Services* (QAS) aka Vintela Authentication Services* (VAS)
Centrify’s DirectControl*
PAM* (Pluggable Authentication Module)
An encrypted MQAUSX FBA file (similar to /etc/passwd file).

*Linux and Unix only.

Capitalware recommends disabling both CONNAUTH and CHLAUTH and using the features of MQAUSX to perform filtering, authentication and setting of the connection’s UserId (which will be used by MQ’s OAM to perform authorization).

The MQAdmin can have some channels authenticate the user credentials against an LDAP server and other channels, of the same queue manager, authenticate against the Local OS, AND even other channels go against other target authentication mechanisms. With CONNAUTH, you can only configure 1 target per queue manager.

Perform Maximum Connections per Channel (MCC) check if enabled
Perform AllowHostname, AllowHostByName, AllowIP & AllowSSLDN checks (that are enabled)
Perform RejectHostname, RejectHostByName, RejectIP & RejectSSLDN checks (that are enabled)
Request information from MQAUSX client-side security exit when in use or if no client-side security exit then wait for MQ to invoke the exit with user credentials
Perform Queue Manager Password check if enabled
Perform Self-Signed Certificate check if enabled
Perform Allowmqm & AllowBlankUserID checks if enabled
Perform AllowUserID check if enabled
Perform RejectUserID check if enabled
Perform Group check if enabled
If Credential Cache is enabled then check cache otherwise perform authentication (if cache entry has expired then perform authentication)

Set it to the UserId used for authentication (default)
Set it to the value in the channel’s MCAUSER field (see UseMCAUser)
z/OS only – If UseSSLCertUserID is set then the value in the channel’s SSLCertUserid field will be used
Set it to the UserId from the SSL Certifcate (see UseSSLUserIDFromDN)
Set it to the UserId from the LDAP ANR (see ExtractUserIDFromANR)
Perform Proxy look up if enabled and set it to the Proxy UserId (see UseProxy)

If CheckFinalUserID is enabled, recheck the UserID against Allowmqm, AllowUserID & RejectUserID

If everything is correct then MQAUSX server-side component will set the connection’s UserId and a log entry will be written to the LogFile. Here is an example of a successful connection:

Connection accepted for MCA_UID='tester' UserID='tester' UserSpecifiedServer='' QMgr='MQWT1' ChlName='TEST.EXIT' ConName='10.10.10.10' Server='' RemoteUserID='roger'

MCA_UID is the UserId that is set by MQAUSX and will be used for the connection
UserID is the UserId that was authenticated
UserSpecifiedServer is the MS AD server name specified by the user, if allowed**
QMgr is the queue manager name
ChlName is the channel name for this connection
ConName is the client IP address
Server is the MS AD server used for authentication**
RemoteUserID is the UserId that the client application is actually running under

** Windows only.

If the incoming connection fails any filter, authentication or other feature then MQAUSX server-side component will immediately close the channel and write log entry to the LogFile. Here is an example of a failed connection attempt:

Connection failed for UserID='tester' UserSpecifiedServer='' QMgr='MQWT1' ChlName='TEST.EXIT' ConName='10.10.10.10' Server='' RemoteUserID='roger'

Finally, Capitalware offers free 60-day trials of both MQAUSX and z/MQAUSX which includes free support (no strings attacehd). If you interesting in trying it out, please send an email to support@capitalware.com to request a trial of MQAUSX or z/MQAUSX.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), IBM MQ, Linux, MQ Authenticate User Security Exit, Security, Unix, Windows, z/OS Comments Off

Jonathan Levell will be Speaking at MQTC v2.0.1.8

June 1, 2018 Roger Lacroix

Jonathan Levell of IBM will be presenting the following sessions at MQ Technical Conference v2.0.1.8 (MQTC):

Jonathan Levell’s Technical Sessions:

Connecting IoT Devices and Mobile Applications to your Enterprise with IBM IoT MessageSight & IBM MQ
MQTT: The Protocol for the Internet of Things

For more information about MQTC, please go to:
http://www.mqtechconference.com

Regards,
Roger Lacroix
Capitalware Inc.

Education, IBM MQ, MQ Technical Conference, MQTT Comments Off

Capitalware Products 2018 Release Train

May 28, 2018 Roger Lacroix

Here is a summary of all the recent releases that Capitalware Inc. has published:

MQ Channel Auto Creation Manager v1.0.4
MQ Channel Auto Creation Manager for z/OS v1.0.4
MQ Set UserID v1.0.3
MQ Set UserID for z/OS v1.0.3
Client-side Security Exit for Depository Trust Clearing Corporation v1.0.3
Client-side Security Exit for Depository Trust Clearing Corporation for z/OS v1.0.3

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), IBM MQ, Licensed As Free, Linux, MQ Auditor, MQ Authenticate User Security Exit, MQ Channel Connection Inspector, MQ Channel Encryption, MQ Channel Throttler, MQ Enterprise Security Suite, MQ Message Encryption, MQ Message Replication, MQ Standard Security Exit, Security, Unix, Windows, z/OS Comments Off

New: MQ Message Replication v2.0.0

May 28, 2018 Roger Lacroix

Capitalware Inc. would like to announce the official release of MQ Message Replication v2.0.0. This is a FREE upgrade for ALL licensed users of MQ Message Replication. MQ Message Replication (MQMR) will clone messages being written (via MQPUT or MQPUT1 API calls) to an application’s output queue and MQMR will write the exact same messages to ‘n’ target queues (‘n’ can be up to 100). When MQMR replicates a message both the message data and the message’s MQMD structure will be cloned.

For more information about MQMR, please go to:
https://www.capitalware.com/mqmr_overview.html

Added UseSyncPoint keyword to enable synpoint for cloned messages.
Added the ability to clear the MQMD Report Options field – new keywords: ClearRO, ClearROCOA, ClearROCOD, ClearROPAN, ClearRONAN, ClearROException & ClearROExpiration
Added the ability to skip messages with the MQMD Feedback field set to particular values – new keywords: SkipCOA, SkipCOD, SkipPAN, SkipNAN & SkipExpiration
Fixed an issue with the handling of reloading the IniFile
Fixed an issue with determining the application name.
Fixed an issue in the logging framework where a constant was being modified.

MQ Queue To SQLite DB (MQ2SDB) program will offload MQ messages to an SQLite database.
SQLite DB To MQ Queue (SDB2MQ) program will load SQLite database rows into messages in an MQ queue.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), IBM MQ, Linux, MQ Message Replication, Unix, Windows Comments Off

New: MQ Message Encryption v4.0.0

May 28, 2018 Roger Lacroix

Capitalware Inc. would like to announce the official release of MQ Message Encryption v4.0.0. This is a FREE upgrade for ALL licensed users of MQ Message Encryption. MQME provides encryption for MQ message data while it resides in a queue and in the MQ logs (i.e. all data at rest).

For more information about MQME, please go to:
https://www.capitalware.com/mqme_overview.html

Added Topic section so that MQME will protect topics.
Added UseExcludeTopics and ExcludeTopics keywords to explicitly exclude topics from being protected.
Added EncPassPhrase keyword to support the use of encrypted PassPhrase.
Added ‘enc_pp’ program that will create an encrypted PassPhrase.
Fixed an issue with determining the application name.
Removed MQAPILevel keyword as it is no longer needed.
Changed when the authorization is perform. Now it is done during the MQOPEN rather than MQGet and/or MQPUT/1.
Fixed an issue in the logging framework where a constant was being modified.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), IBM MQ, Linux, MQ Message Encryption, Security, Unix, Windows Comments Off

New: MQ Channel Encryption v3.2.0

May 28, 2018 Roger Lacroix

Capitalware Inc. would like to announce the official release of MQ Channel Encryption (MQCE) v3.2.0. This is a FREE upgrade for ALL licensed users of MQCE. MQCE provides encryption for message data over IBM MQ channels.

MQCE operates with Sender, Receiver, Server, Requester, Cluster-Sender, Cluster-Receiver, Server Connection and Client Connection channels of the WMQ queue managers. MQCE uses Advanced Encryption Standard (AES) to encrypt the data and SHA-2 to create a digital signature.

For more information about MQCE go to:
https://www.capitalware.com/mqce_overview.html

Added EncPassPhrase keyword to support the use of encrypted PassPhrase.
Added ‘enc_pp’ program that will create an encrypted PassPhrase.
Addition debug logging information added
Fixed an issue in the logging framework where a constant was being modified.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), IBM MQ, Linux, MQ Channel Encryption, Security, Unix, Windows Comments Off

New: MQ Channel Encryption for z/OS v3.2.0

May 28, 2018 Roger Lacroix

Capitalware Inc. would like to announce the official release of MQ Channel Encryption for z/OS (z/MQCE) v3.2.0. This is a FREE upgrade for ALL licensed users of z/MQCE. z/MQCE provides encryption for message data over IBM MQ channels.

z/MQCE operates with Sender, Receiver, Server, Requester, Cluster-Sender, Cluster-Receiver, Server Connection and Client Connection channels of the WMQ queue managers. z/MQCE uses Advanced Encryption Standard (AES) to encrypt the data and SHA-2 to create a digital signature.

For more information about z/MQCE go to:
https://www.capitalware.com/mqce_zos_overview.html

Added EncPassPhrase keyword to support the use of encrypted PassPhrase.
Added ‘ENC_PP’ program that will create an encrypted PassPhrase.
Addition debug logging information added
Fixed an issue in the logging framework where a constant was being modified.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM MQ, MQ Channel Encryption, Security, z/OS Comments Off

New: MQ Channel Throttler v1.1.0

May 28, 2018 Roger Lacroix

Capitalware Inc. would like to announce the official release of MQ Channel Throttler v1.1.0. This is a FREE upgrade for ALL licensed users of MQ Channel Throttler. MQCT provides the ability to control/throttle the number of messages or bytes that flow over a channel.

For more information about MQCT, please go to:
https://www.capitalware.com/mqct_overview.html

Added extra checks for null pointers
Performed some tuning to some highly used functions
Fixed an issue with counting message/bytes for MQGET.
Added code to determine Endianness on startup.
Fixed an issue related to MQOD structure.
Fixed an issue related to MQPMO structure.
Fixed an issue related to MQGMO structure.
Fixed an issue related to MQMD structure.
Fixed an issue in the logging framework where a constant was being modified.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), IBM MQ, Linux, MQ Channel Throttler, Unix, Windows Comments Off

New: MQ Authenticate User Security Exit v3.3.0

May 28, 2018 Roger Lacroix

Capitalware Inc. would like to announce the official release of MQ Authenticate User Security Exit v3.3.0. This is a FREE upgrade for ALL licensed users of MQ Authenticate User Security Exit. MQ Authenticate User Security Exit is a solution that allows a company to fully authenticate a user who is accessing an IBM MQ resource. It authenticates the user’s UserID and Password (and possibly Domain Name) against the server’s native OS system, LDAP server, Microsoft’s Active Directory, Quest Authentication Services, Centrify’s DirectControl or an encrypted MQAUSX FBA file.

For more information about MQ Authenticate User Security Exit go to:
https://www.capitalware.com/mqausx_overview.html

Changes for MQ Authenticate User Security Exit v3.3.0:

Added code to check all cache entries if they have expired.
For Linux and Windows switched to Novell’s latest release of LDAP Libraries for C
Fixed an issue in the logging framework where a constant was being modified.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), IBM MQ, Linux, MQ Authenticate User Security Exit, Security, Unix, Windows Comments Off

New: MQ Authenticate User Security Exit for z/OS v3.3.0

May 28, 2018 Roger Lacroix

Capitalware Inc. would like to announce the official release of MQ Authenticate User Security Exit for z/OS v3.3.0. This is a FREE upgrade for ALL licensed users of MQ Authenticate User Security Exit for z/OS. MQ Authenticate User Security Exit for z/OS is a solution that allows a company to fully authenticate a user who is accessing an IBM MQ for z/OS resource. It authenticates the user’s UserID and Password against the native z/OS system or an encrypted MQAUSX FBA file.

For more information about MQ Authenticate User Security Exit for z/OS go to:
https://www.capitalware.com/mqausx_zos_overview.html

Changes for MQ Authenticate User Security Exit for z/OS v3.3.0:

Added code to check all cache entries if they have expired.
Fixed an issue in the logging framework where a constant was being modified.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM MQ, MQ Authenticate User Security Exit, Security, z/OS Comments Off

Search for:
Recent Posts
Blog Calendar
May 2026

M T W T F S S

1 2 3

4 5 6 7 8 9 10

11 12 13 14 15 16 17

18 19 20 21 22 23 24

25 26 27 28 29 30 31

« Apr
Archives
Archives
Capitalware
Categories
IBM MQ
WebSphere MQ
IBM Developer Messaging Blog
T.Rob’s Store and Forward
- MQ Safety Tips for the Pandemic April 5, 2020
- Command Server Gotcha May 14, 2018
- Client-based runmqsc gotcha May 3, 2018
- When deprecated != deprecated January 19, 2018
- Parsing MQ error logs in Splunk December 19, 2017
Mark Taylor’s Blog
- OTel Context Propagation: part 6 – MQ Kafka Connectors May 11, 2026
- OTel Context Propagation: part 5 – Notes on the MQ Tracing Exit March 4, 2026
- OTel Context Propagation for MQ Applications: part 4 – Python February 6, 2026
- End of a platform January 8, 2026
- MQ Monitoring: using queue manager STATISTICS events December 22, 2025
Lyns Random Thoughts
Leif Davidsen’s Blog
Colin Paice on MQ
- Assembler programming without using using – it is all relative May 3, 2026
- Using IPCS to look at z/OS dumps May 3, 2026
- Not for humans but for search engine – BPX May 2, 2026
- Where’s my dump? May 2, 2026
- Processing LOGREC May 2, 2026
- Getting the z/OS standard image to work. April 27, 2026
- I have to renew my TLS certificate every 47 days. What?! April 25, 2026
- How do you validate files on z/OS, at install time and long term? April 24, 2026
- Using code signing on z/OS April 23, 2026
- Signing load modules on z/OS April 23, 2026
StackOverflow MQ Questions
- Does every MQQueueManager create a new TCP/IP connection? Best practices for connection reuse/pooling in IBM MQ Java client May 4, 2026
- IBM MQ: CONNS and CURSHCNV show same value despite multiple JMS sessions [closed] April 30, 2026
- MQCONNX ended with reason code 2393 when connecting mTLS enabled queue April 9, 2026
- how to rectify javax.jms.JMSException: Failed to create connection? January 16, 2026
- IBM MQ 2059 (MQRC_Q_MGR_NOT_AVAILABLE) error in .NET 9.0 console app using IBMMQClient with certificate-based SSL setup January 14, 2026
- Azure linux function app to IBM MQ using IBMMQDotnetClient 9.4.2 December 6, 2025
- App need to perform enable/disable queue programmatically December 4, 2025
- Date & time not being shown in japanese October 28, 2025
- How do I / example of adding source info in IBM MQ Header (possible MQRFH2/usr) from DB2 stored procedure October 14, 2025
- Is Q Replication what's called Fast Queue in database async replication October 6, 2025
StackOverflow MQTT Questions
- MQTT connection silently drops on NTP clock jump in embedded Linux (no error, no reconnect) April 9, 2026
- How to create "restricted wildcard subscriptions" March 26, 2026
- (Ab)using ASP.NET Core for non-http message processing? February 12, 2026
- Am I misusing Azure Event Grid’s MQTT multi‑session support by connecting 100 MQTT clients to a single defined MQTT client in Event Grid? February 4, 2026
- android compose mqtt implementation January 26, 2026
- Don't get publish() to work in paho.mqtt.client.on_connect thread January 18, 2026
- Best way to host multiple EMQX instances per server January 15, 2026
- How can I connect to AWS IoT Core MQTT over WebSocket from browser January 9, 2026
- paho Android MQTT client does not send PINGREQ to broker when phone screen is off December 2, 2025
- Prevent multiple subscriptions of same topic in HiveMQ MQTT client November 17, 2025

Recent Posts

Blog Calendar

Archives

Capitalware

Categories