MQ Client Access control

 

Access control in WebSphere MQ is based upon the user identifier associated with the process making MQI calls. For WebSphere MQ clients, the process that issues the MQI calls is the server-connection MCA. The user identifiers used by the server-connection MCA are that contained in the MCAUserIdentifier and LongMCAUserIdentifier fields of the MQCD. The contents of these fields are determined by:

  • Any values set by security exits

  • The user ID (for clients on UNIX systems, Windows 2000, Windows NT, and Windows XP ) or MQ_USER_ID environment variable (for other clients) from the client

  • MCAUSER (in the server-connection channel definition)

Depending upon the combination of settings of the above, the user-identifier fields are set to appropriate values. If a server-connection security exit is provided, the user-identifier fields can be set by the exit. Otherwise they are determined as follows:

  • If the server-connection channel MCAUSER attribute is nonblank, this value is used.

  • If the server-connection channel MCAUSER attribute is blank, the user ID received from the client is used. However, for the clients that use the MQ_USER_ID environment variable to supply the user ID, it is possible that no environment variable is set. In this case, the user ID that started the server-connection channel is used. For Java client connections, if the client application does not provide a user ID then no client user identification is provided to the server.

When the user-identifier fields are derived from the user ID that started the server-connection channel, the following value is used:

For TCP/IP, the user ID from the inetd.conf entry, or the user ID that started the listener.

If any server-connection channel definitions exist that have the MCAUSER attribute set to blank, clients can use this channel definition to connect to the queue manager with access authority determined by the user ID supplied by the client. This might be a security exposure if the system on which the queue manager is running allows unauthorized network connections. The WebSphere MQ default server-connection channel (SYSTEM.DEF.SVRCONN) has the MCAUSER attribute set to blank. To prevent unauthorized access, update the MCAUSER attribute of the default definition with a user ID that has no access to WebSphere MQ objects.

When you define a channel with runmqsc, the MCAUSER attribute is changed to uppercase unless the user ID is contained within single quotation marks.

For servers on UNIX systems, the content of the MCAUserIdentifier field that is received from the client is changed to lowercase.

For servers on UNIX systems, the content of the LongMCAUserIdentifier field that is received from the client is changed to lowercase.

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.