MQ Client Security

 

 

Authentication

There are three levels of MQ security:

  1. Transport

  2. Channel security exits

    A protocol independent pair of exits provide mutual authentication of both the client and the server.

    DCE security exits are available

    If no security exits are used, access to WebSphere MQ objects is determined by the server-connection channel definition.

  3. Identification passed to a channel security exit

    In client to server communication, the channel security exits do not have to operate as a pair. The exit on the WebSphere MQ client side can be omitted. In this case the user ID is placed in the channel descriptor (MQCD) and the security exit can alter it, if required. Some clients also send additional information to assist identification.

    For clients on UNIX systems, Windows 2000, Windows NT, and Windows XP, the user ID that is passed to the server is the currently logged-on user ID on the client. In addition, a client on Windows 2000, Windows NT, or Windows XP passes the security ID of the currently logged-on user.

    The values of the user ID and, if available, the password or security ID, can be used by the server security exit to establish the identity of the WebSphere MQ client.

 

Environment variables

For WebSphere MQ clients on DOS, OS/2 Warp, Windows 3.1, Windows 95, and Windows 98, if a security exit is not defined, the values of two environment variables MQ_USER_ID and MQ_PASSWORD are transmitted to the server. The values are passed in the channel definition (MQCD) to the server security exit when the exit is invoked. The values can then be used by the exit to establish the identity of the WebSphere MQ client.

On these platforms, set the variables in the environment in which the WebSphere MQ client is going to run. Note that MYUSERID and MYPASSWORD must be in uppercase if the client is going to communicate with an WebSphere MQ server on OS/400. For example: 

SET MQ_USER_ID=MYUSERID
SET MQ_PASSWORD=MYPASSWORD

The MQ_USER_ID and MQ_PASSWORD environment variables are not supported on UNIX systems, Windows 2000, Windows NT, and Windows XP. On these platforms, identification is established when the currently logged-on user ID of the client is passed automatically to the server.

 

User IDs

If the WebSphere MQ client is on Windows 2000, Windows NT, or Windows XP, and the WebSphere MQ server is also on one of these platforms and has access to the domain on which the client user ID is defined, WebSphere MQ supports user IDs of up to 20 characters.

If the WebSphere MQ server is on Windows 2000, Windows NT, or Windows XP, and the client is on a platform that uses the environment variable for specifying the user ID, the user ID can be in the format user@domain. The WebSphere MQ server then retrieves user account information from the specified NT domain. In this case, the maximum length for the user ID is 64 characters.

If the WebSphere MQ server is on Windows 2000, Windows NT, or Windows XP, and the client is on a platform that uses the environment variable for specifying the user ID, but no domain is specified, the WebSphere MQ server attempts to retrieve user account information from its primary domain or trusted domains. In this case, the maximum length for the user ID is 20 characters.

A WebSphere MQ for Windows server does not support the connection of a Windows 2000, Windows NT, or Windows XP client if the client is running under a user ID that contains the @ character, for example, abc@d. The return code to the MQCONN call at the client is MQRC_NOT_AUTHORIZED.

On all other platforms and configurations, the maximum length for user IDs is 12 characters.

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.