ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral DiscussionDifference between basic MQ authintication and IDPWOS

Post new topicReply to topic
Difference between basic MQ authintication and IDPWOS View previous topic :: View next topic
Author Message
ankurlodhi
PostPosted: Tue Jul 23, 2019 2:39 am Post subject: Difference between basic MQ authintication and IDPWOS Reply with quote

Master

Joined: 19 Oct 2010
Posts: 257

Hi all,

i want to understand the difference between, basic MQ authentication and IDPWOS for an MQ client.

what we usually do is we create a user on MQ server and application team connects using that username and password through MQ client.

now this username and password is already on MQ server, so isn't IDPWOS already configured even if we don't setup connauth?
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jul 25, 2019 7:44 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1185
Location: Bay of Plenty, New Zealand

I don't understand what you mean by "basic authentication" - could you elaborate further please?

Using CONNAUTH with IDPWOS means that the queue manager will check the user id and password you provide, and even mandate that you must provide one if you do not. This is the most basic authentication IBM MQ provides.

When your application team usually connects providing a username and password, what is checking that password is correct if you are not using IDPWOS? If you don't know the answer to this, may I suggest you attempt to enter an incorrect password deliberately and see what happens. This may illustrate to you that nothing is checking the password.

To reiterate, if CONNAUTH is not set up (or you have a version of MQ earlier than V8) the queue manager is not checking the password for you - you may have something else, an exit for example, that is, but there is nothing out of the box in the queue manager that is checking it unless you have CONNAUTH configured.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Fri Jul 26, 2019 5:01 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20072
Location: LI,NY

Also if your connauth is configured with ADOPTCTX(NO) you may supply 2 identities. One that gets checked for authentication and another one that doesn't get checked at all and that will be used for authorization!!

This is bad practice.

This is why since MQ 9.1 (or was it 9.0 ?), the default is to set ADOPTCTX(YES). This means that you HAVE to use the MQCSP structure if the id sent to MQ for authentication and authorization doesn't match the id of the running process.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral DiscussionDifference between basic MQ authintication and IDPWOS
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.