ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » MQCSP authentication with no password

Post new topic  Reply to topic
 MQCSP authentication with no password « View previous topic :: View next topic » 
Author Message
pakuma3
PostPosted: Wed Apr 13, 2022 3:16 pm    Post subject: MQCSP authentication with no password Reply with quote

Newbie

Joined: 27 Feb 2015
Posts: 7

Hi guys,

Just had a quick question,. BTW, Im running 9.2.3 and 9.2.5.

Does anybody know if there is a way to authenticate an incoming connection that is only sending MQCSP UserID but blank password?

App cannot send the password in the client connection, company policy.

App is using Openshift and it sends the App UserID in MQCSP structure, but it also sends the regular "java" UserID for the session outside this structure.

Weve tried leaving the CONNAUTH blank and just using CHLAUTH rules, but the rules only apply for the session ID (java).

We've also tried using IDPWOS CONNAUTH, with CHCKCLNT as optional, but no luck.

Thanks guys!
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Apr 14, 2022 1:04 am    Post subject: Re: MQCSP authentication with no password Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

pakuma3 wrote:
Hi guys,

Just had a quick question,. BTW, Im running 9.2.3 and 9.2.5.

Does anybody know if there is a way to authenticate an incoming connection that is only sending MQCSP UserID but blank password?

App cannot send the password in the client connection, company policy.

App is using Openshift and it sends the App UserID in MQCSP structure, but it also sends the regular "java" UserID for the session outside this structure.

Weve tried leaving the CONNAUTH blank and just using CHLAUTH rules, but the rules only apply for the session ID (java).

We've also tried using IDPWOS CONNAUTH, with CHCKCLNT as optional, but no luck.

Thanks guys!

Look at the channels stanza so that the password is always encrypted on the wire. Use the mqccred channel exit to force userid and password. Use runmqccred to obfuscate the password in the mqccred.ini file...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
pnusch
PostPosted: Tue Apr 19, 2022 4:41 am    Post subject: Reply with quote

Newbie

Joined: 17 Aug 2020
Posts: 4

Hey,

I tried CONNAUTH with Java Client and I remind me, when the app only set the UserID variable and not set the password variable then CONNAUTH with CHCKCLNT = OPTIONAL works.

The developer need to skip the password variable when the password is blank, but please don't request this if it's third-party app.

But to be honest, authentication without password isn't authenticate, except using client certificate as authentication factor.

The java UserID can be change in source code too, via system.property.

PS: I tried the CHECKCLNT = OPTIONAL and not setting password variable with MQ-Client 9.1.0.y against QMgr on z/OS V8 and V9.1, 1-year ago. When IBM didn't change anything it should still work.

CHCKCLNT = OPTIONAL mean so long no password is sent, you can connect with any user.
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Apr 20, 2022 2:12 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Only if the user id when checked at the server is valid with no password. Otherwise, if you supply it and pass it through CONNAUTH password checking it will fail. If you don't pass it through CONNAUTH password checking it will be ignored.

Alternatively, a security exit could pluck it out and do something with it.

But really, the answer to your question is probably "No".

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » MQCSP authentication with no password
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.