User authentication is another aspect of security that is often overlooked and many think it only applies to human users.
Quite the contrary! User authentication, albeit with a few twists, is an essential aspect for securing applications’ access to resources.
IBM MQ can be configured to force users and applications to supply a username and a password before being allowed to access any of its objects.
Before MQ 8.0, security authentication was implemented using security exit programs. These are special programs you can write with a specific set of input parameters, and specific output values.
But 8.0 brought us the ability to verify a username/password pair against a user repository, either managed by the operating system or an external LDAP directory.
NOTE: IBM MQ versions 8.0 and later have two authentication methods: an old one, called the compatibility mode and a new one, called MQCSP authentication. In compatibility mode, passwords and usernames are limited (and truncated, if longer) to 12 characters. In order to user usernames or passwords longer than 12 characters, the client application has to use MQCSP authentication (disable the Enable Compatibility mode checkbox in the MQ Explorer Userid configuration window).
Operating system authentication
This authentication method relies on the underlying operating system’s services to validate users and passwords. To use it, you just have to create an AUTHINFO object of type IDPWOS. The MQSC command is as follows:
DEFINE AUTHINFO(USE.OS) AUTHTYPE(IDPWOS) CHCKLOCL(OPTIONAL) CHCKCLNT (REQDADM) REPLACE
The CHCKLOCL and CHCKCLNT apply to local and client (remote) connections, respectively. Both can take the following values:
- NONE: No authentication will be enforced or verified. If any connection attempt has authentication information, it will be ignored.
- OPTIONAL: No authentication will be enforced. However, if a connection attempt has authentication information, the user must be valid, and if it is successful, the specified user has to have the correct permissions to connect to the queue manager.
- REQDADM: Authentication will be enforced if the user belongs to the MQ administration operating system group (mqm in Windows, Linux or UNIX, OR Administrators in Windows).
- REQUIRED: Authentication will be enforced all the time.
After defining the AUTHINFO for this type of authentication, configure the queue manager to use it:
ALTER QMGR CONNAUTH(USE.OS)
To use it, either restart the queue manager or issue the command:
REFRESH SECURITY TYPE(CONNAUTH)
LDAP Authentication
In the following example, I’ll demonstrate configuring LDAP authentication against Microsoft’s Active Directory. It’s a bit more complicated than other LDAP servers, but the commands can be easily adapted to others.
Note: LDAP authentication is only supported from MQ 8.0 onwards. Regardless, if you have MQ 8.0 and want to use Active Directory, you have to raise the command level of MQ to 802. To do this, just follow the following steps:
- Stop the queue manager:
endmqm MQ01 - Raise the CMDLEVEL of the queue manager
strmqm ‑e CMDLEVEL=802 MQ01 - Start the queue manager
strmqm MQ01
So, just define an AUTHINFO object of type IDPWLDAP.
DEFINE AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP) DESCR(‘LDAP Authentication’) CHCKCLNT(REQUIRED) CHCKLOCL(NONE) ADOPTCTX(YES) FAILDLAY(10) LDAPUSER(‘tests.mq’) LDAPPWD(‘Tm@1234’) CONNAME(‘adserver’) SECCOMM(YES) SHORTUSR(‘sn’) CLASSUSR(‘user’) BASEDNU(‘ou=users,dc=addomain, dc=local’) USRFIELD(‘sAMAccountName’) GRPFIELD(‘cn’) CLASSGRP(‘group’) BASEDNG(‘ou=groups,ou=users,dc=addomain, dc=local’) FINDGRP(‘member’) AUTHORMD(SEARCHGRP) REPLACE
As you can see, there are lots more options in the IDPWLDAP authentication type. Lets go through all these parameters:
- ADOPTCTX: Whether to use the presented credentials as the context for this application. This means that they are used for authorization checks, shown on administrative displays, and appear in messages.
- YES
The user ID presented in the MQCSP structure, which has been successfully validated by password, is adopted as the context to use for this application. Therefore, this user ID will be the credentials checked for authorization to use IBM MQ resources. If the user ID presented is an LDAP user ID, and authorization checks are done using operating system user IDs, the SHORTUSR associated with the user entry in LDAP will be adopted as the credentials for authorization checks to be done against. - NO
Authentication will be performed on the user ID and password presented in the MQCSP structure, but then the credentials will not be adopted for further use. Authorization will be performed using the user ID the application is running under.
- YES
- FAILDLAY: specify the delay used by MQ to notify the application of any failed authentication. This is to prevent the application from hammering MQ with failed connection attempts.
- LDAPUSER: specify the user for connecting to the Active Directory (or LDAP) server.
- LDAPPWD: specify the password for the LDAPUSER.
- CONNAME: address of the Active Directory (or LDAP) server
- SECCOMM: if this setting has an attribute of YES, SSL is used to connect to the Active Directory (or LDAP) server and also specify the TCP port as being 636 (LDAPS); if it has the value NO, no SSL will be used to connect and the TCP port is set to 389 (LDAP).
- SHORTUSR: specify the LDAP attribute that contains the “short” username. This is necessary because MQ has a limit of 12 characters on usernames. If you do not specify this option, usernames longer than 12 characters will be truncated.
- CLASSUSR: LDAP object class to use for user entries.
- BASEDNU: The base DN of the LDAP tree to use when searching for users.
- USRFIELD: The LDAP attribute to be used by MQ when searching for users; in Active Directory, this is typically sAMAccountName.
- GRPFIELD: The LDAP attribute that contains the short group name. If this option is missing, the full group DN must be used when specifying groups in the setmqaut command line utility and the SET AUTHREC MQSC command (more on these in another blog post — stay tuned). Typically, this must hasve the value cn.
- CLASSGRP: The LDAP object class of groups.
- CLASSUSR: The LDAP object class of users. In Microsoft Active Directory, this is typically user; for other LDAP servers is typically inetOrgPerson.
- BASEDNG: The base DN of the LDAP tree to use when searching for groups.
- FINDGRP: The name of the attribute used within an LDAP entry to determine group membership. The default value depends on the value of AUTHORMD.
When AUTHORMD = SEARCHGRP, the FINDGRP attribute is typically set to member or uniqueMember.
When AUTHORMD = SEARCHUSR, the FINDGRP attribute is typically set to memberOf.
When AUTHORMD = SRCHGRPSN, the FINDGRP attribute is typically set to memberUid. This only applies to MQ versions 9.0.5 and above.
When the FINDGRP attribute is left blank:- If AUTHORMD = SEARCHGRP, the FINDGRP attribute defaults to memberOf.
- If AUTHORMD = SEARCHUSR, the FINDGRP attribute defaults to member.
- If AUTHORMD = SRCHGRPSN, the FINDGRP attribute defaults to memberUid. This only applies to MQ versions 9.0.5 and above.
- AUTHORMD: See explanation of the FINDGRP parameter.
Keep in mind that for an authentication of type IDPWLDAP, REQDADM and OPTIONAL are equivalent, as MQ makes no distinction between administrative users and normal ones. An username and password are always requested and validated, and are required to be correct, that is, authentication must succeed.
Again, to use this authentication configuration, issue the runmqsc command:
ALTER QMGR CONNAUTH(USE.LDAP)
and restart the queue manager or issue the runmqsc command:
REFRESH SECURITY TYPE(CONNAUTH)
That’s it. The next thing to do is to authorize users to use MQ by setting permissions (authorizations). This will be shown in part 3 of this article series.