| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQCSP authentication with no password |
« View previous topic :: View next topic » |
| Author |
Message
|
| pakuma3 |
 Posted: Wed Apr 13, 2022 3:16 pm Post subject: MQCSP authentication with no password |
 |
|
Newbie
Joined: 27 Feb 2015
Posts: 9
|
Hi guys,
Just had a quick question,. BTW, Im running 9.2.3 and 9.2.5.
Does anybody know if there is a way to authenticate an incoming connection that is only sending MQCSP UserID but blank password?
App cannot send the password in the client connection, company policy.
App is using Openshift and it sends the App UserID in MQCSP structure, but it also sends the regular "java" UserID for the session outside this structure.
Weve tried leaving the CONNAUTH blank and just using CHLAUTH rules, but the rules only apply for the session ID (java).
We've also tried using IDPWOS CONNAUTH, with CHCKCLNT as optional, but no luck.
Thanks guys! |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Apr 14, 2022 1:04 am Post subject: Re: MQCSP authentication with no password |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| pakuma3 wrote: |
Hi guys,
Just had a quick question,. BTW, Im running 9.2.3 and 9.2.5.
Does anybody know if there is a way to authenticate an incoming connection that is only sending MQCSP UserID but blank password?
App cannot send the password in the client connection, company policy.
App is using Openshift and it sends the App UserID in MQCSP structure, but it also sends the regular "java" UserID for the session outside this structure.
Weve tried leaving the CONNAUTH blank and just using CHLAUTH rules, but the rules only apply for the session ID (java).
We've also tried using IDPWOS CONNAUTH, with CHCKCLNT as optional, but no luck.
Thanks guys! |
Look at the channels stanza so that the password is always encrypted on the wire. Use the mqccred channel exit to force userid and password. Use runmqccred to obfuscate the password in the mqccred.ini file... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| pnusch |
| Posted: Tue Apr 19, 2022 4:41 am Post subject: |
|
|
Newbie
Joined: 17 Aug 2020
Posts: 5
|
Hey,
I tried CONNAUTH with Java Client and I remind me, when the app only set the UserID variable and not set the password variable then CONNAUTH with CHCKCLNT = OPTIONAL works.
The developer need to skip the password variable when the password is blank, but please don't request this if it's third-party app.
But to be honest, authentication without password isn't authenticate, except using client certificate as authentication factor.
The java UserID can be change in source code too, via system.property.
PS: I tried the CHECKCLNT = OPTIONAL and not setting password variable with MQ-Client 9.1.0.y against QMgr on z/OS V8 and V9.1, 1-year ago. When IBM didn't change anything it should still work.
CHCKCLNT = OPTIONAL mean so long no password is sent, you can connect with any user. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Apr 20, 2022 2:12 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Only if the user id when checked at the server is valid with no password. Otherwise, if you supply it and pass it through CONNAUTH password checking it will fail. If you don't pass it through CONNAUTH password checking it will be ignored.
Alternatively, a security exit could pluck it out and do something with it.
But really, the answer to your question is probably "No".
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
