| Author |
Message
|
| amita09 |
 Posted: Thu Nov 17, 2005 1:58 am Post subject: basic security question |
 |
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
Is it possible to provide a login and password when trying to connect to queue manager from an application using MQ API.
Assume MQ is deployed in Solaris. My application is running in Solaris as well. I want to make sure that all apps that interface to MQ should be able to pass a username & password to access the Queue Manager. |
|
| Back to top |
|
 |
| wschutz |
| Posted: Thu Nov 17, 2005 2:47 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
MQ V6 adds a new structure to the MQCONNX call (MQCSP) which allows you to pass a userid and password. You must also provide an authenticate user exit (MQZ_AUTHENTICATE_USER) to check the userid / password yourself. The userid password also passed to the SCYEXIT on client channels.
MQ's basic design point has been to let the operating system authenticate the user (ie, password check).
_________________
-wayne |
|
| Back to top |
|
|
| amita09 |
| Posted: Thu Nov 17, 2005 2:57 am Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
Can you verify my understanding here ?
"MQ V6 adds a new structure to the MQCONNX call (MQCSP) which allows you to pass a userid and password. You must also provide an authenticate user exit (MQZ_AUTHENTICATE_USER) to check the userid / password yourself. The userid password also passed to the SCYEXIT on client channels. "
This means that basically I am doing both the call and the authentication myself. MQ is only providing me an opening in form of MQCONNX to pass the uid & password.
So here the OS username/password has no role to play. Am I right.
OR
I still need the user and password to be the same as that of the Operating system under which MQ is running. Whats the role of the exit then ..is it suppose to check this against what the client has passed or against the OS... How do I check it against the OS ..Little bit blur. Pls advise
"MQ's basic design point has been to let the operating system authenticate the user (ie, password check)."
This means that the user and password is one and the same is it. ...can understand why you say user i.e. password check. Yes i know that MQ does not have a repository but relies on OS |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Nov 17, 2005 3:19 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| This means that basically I am doing both the call and the authentication myself. MQ is only providing me an opening in form of MQCONNX to pass the uid & password. |
Yes, this is only an enabling technology, which means MQ gives you the places to provide the functions to do this, but not the functions themselves.
Of course, the assumption is that you (as MQ admin) provide the exit to check the userid and password and you (as MQ programmer) actually provide the userid and password.
| Quote: |
| So here the OS username/password has no role to play. Am I right. |
The password doesn't. But the userid must match a opsys userid if you are using authorization (for example, if you are using OAM to control queue access). The authentication exit can change the userid, so strictly speaking, you could pass a non-OS userid on the MQCONNX call, but the exit would have to make it into a userid the OS recognizes.
How you check the userid and password is your decision (operating sysem call, database lookup, whatever)
| Quote: |
| This means that the user and password is one and the same is it. ...can understand why you say user i.e. password check. Yes i know that MQ does not have a repository but relies on OS |
I'm not sure what you mean "one and the same".
_________________
-wayne |
|
| Back to top |
|
|
| amita09 |
| Posted: Thu Nov 17, 2005 3:38 am Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
1 ) "The password doesn't. But the userid must match a opsys userid if you are using authorization (for example, if you are using OAM to control queue access). The authentication exit can change the userid, so strictly speaking, you could pass a non-OS userid on the MQCONNX call, but the exit would have to make it into a userid the OS recognizes. "
2) "How you check the userid and password is your decision (operating sysem call, database lookup, whatever) "
So we are talking of 2 things here as well.
1) Authorizing using an opsys userid - When u say that userid must match an opsys userid...who will check this is it the authentication exit as well or some other component ?
2) Checking the userid/password against db, os etc. How do I check the password.
Not sure why we need two different things..isnt only the second step enough ?
Also is this available on Mq v5.3 ? U mentioned MQConnX we can pass the username and password...are these options not there in V5.3 ? |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Nov 17, 2005 3:49 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
When you are using the OAM, you must present a userid to MQ that the operating system knows about.
So for your question (1) the OAM checks it. I've already answered (2): its up to you.
| Quote: |
| Also is this available on Mq v5.3 ? |
Which is why I started off with:
| Quote: |
| MQ V6 adds a new structure to the MQCONNX call (MQCSP) which allows you to pass a userid and password. |
_________________
-wayne |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Fri Nov 18, 2005 5:24 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Nov 18, 2005 5:53 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Also, Capitalware's MQAUSX Security Exit can be used by programs to pass IDs and Passwords that can authenticate against the OS or optionally a ID/Passwords file on the server.
We use it here with great success.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| wschutz |
| Posted: Fri Nov 18, 2005 7:09 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
But remember, amita09 sounds like he (she) is describing a server bound application. 
_________________
-wayne |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Nov 23, 2005 9:25 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| wschutz wrote: |
| But remember, amita09 sounds like he (she) is describing a server bound application. |
True, but you should also mention that MQ will flow the UserID and Password in plain text from the application to the server-side security exit.
As Peter pointed out, MQAUSX can be used as a solution to his/her problem (plus the password is encrypted). The client-side security exit can be setup such that the application is not even aware that it is there.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Dec 12, 2005 9:46 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
All,
MQAUSX has been updated to accept the new MQCSP security structure when there is no client-side security exit. But this still means UserIDs and passwords are sent in plain text.
To have encrypted passwords, then you still must use both client-side and server-side security exits for MQAUSX.
But for those who want a 'light-weight' security solution here is what you need:
- WMQ v6.0 installed on the server-side
- MQAUSX implemented on the server-side
- WMQ v6.0 installed on the client-side
- MO71 v6.0.0 or later
- In MO71, on the Location Setting panel select UserID check box.
Now MO71 will prompt you for your UserID & password and fill-in the MQCSP structure during MQCONNX call. MQCSP is flowed to the server-side, hence, MQAUSX.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| skiv |
| Posted: Wed Jul 12, 2006 6:30 pm Post subject: |
|
|
Apprentice
Joined: 19 Jun 2006
Posts: 33
|
wondering if anyone still listening to this thread
I have a question regarding using of MQCSP in MQCONNX. From what i know in order to use it, the MQCNO version got to be set to 5 and the security parameter got to be pointed to the MQCSP structure that is being passed in.
May i ask if my client is runinning on java JMS, how can I set all these settings. I also understand that these settings got to be set when calling the MQCONNX function am i right? so this makes it that the settings got to be done at the client side....
Please correct me if my understanding is wrong..
Thanks |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Jul 12, 2006 10:08 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
| skiv |
| Posted: Thu Jul 13, 2006 4:56 pm Post subject: |
|
|
Apprentice
Joined: 19 Jun 2006
Posts: 33
|
Hi
I had google on this topic before.. I saw the second article before but not the first... However it did not really answer what I want.
By default the MQCNO version is 1 and the securityptr is pointed to null... so I would like to activate it.. so i can retireve the userid and pwd that I passed in using csp...
I dunno how i can set it to do this.. |
|
| Back to top |
|
|
| Yannanlu |
| Posted: Fri Sep 01, 2006 5:57 pm Post subject: |
|
|
Apprentice
Joined: 23 Jan 2002
Posts: 27
|
I may be too late to join in this discussion. The Authentication exit in MQ V6 is quite easy to work with. It is alos possible to lock down all SVRCONN. But I am not sure how to make MQ 5.3 client talk to the server.
If I want to have MQ V6 to authenticate both MQ V6 clients and MQ V5.3 clients, do I have to use the traditional SecurityExit?
Thanks,
Yannan |
|
| Back to top |
|
|
|
|
