{"id":161,"date":"2020-08-31T22:17:18","date_gmt":"2020-08-31T22:17:18","guid":{"rendered":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/?p=161"},"modified":"2024-07-05T11:40:39","modified_gmt":"2024-07-05T10:40:39","slug":"ibm-mq-basics-security-part-2-user-authentication","status":"publish","type":"post","link":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/2020\/08\/31\/ibm-mq-basics-security-part-2-user-authentication\/","title":{"rendered":"IBM<\/span> MQ<\/span> basics: security \u2014 part 2: user authentication"},"content":{"rendered":"

User authen\u00adti\u00adca\u00adtion is anoth\u00ader aspect of secu\u00adri\u00adty that is often over\u00adlooked and many think it only applies to human users.<\/p>\n

Quite the con\u00adtrary! User authen\u00adti\u00adca\u00adtion, albeit with a few twists, is an essen\u00adtial aspect for secur\u00ading appli\u00adca\u00adtions\u2019 access to resources.<\/p>\n

IBM<\/span> MQ<\/span> can be con\u00adfig\u00adured to force users and appli\u00adca\u00adtions to sup\u00adply a user\u00adname and a pass\u00adword before being allowed to access any of its objects.<\/p>\n

<\/p>\n

Before MQ<\/span> 8.0, secu\u00adri\u00adty authen\u00adti\u00adca\u00adtion was imple\u00adment\u00aded using secu\u00adri\u00adty exit pro\u00adgrams. These are spe\u00adcial pro\u00adgrams you can write with a spe\u00adcif\u00adic set of input para\u00adme\u00adters, and spe\u00adcif\u00adic out\u00adput values.<\/p>\n

But 8.0 brought us the abil\u00adi\u00adty to ver\u00adi\u00adfy a username\/password pair against a user repos\u00adi\u00adto\u00adry, either man\u00adaged by the oper\u00adat\u00ading sys\u00adtem or an exter\u00adnal LDAP<\/span> directory.<\/p>\n

NOTE<\/span>: IBM<\/span> MQ<\/span> ver\u00adsions 8.0 and lat\u00ader have two authen\u00adti\u00adca\u00adtion meth\u00adods: an old one, called the com\u00adpat\u00adi\u00adbil\u00adi\u00adty mode and a new one, called MQCSP<\/span> authen\u00adti\u00adca\u00adtion. In com\u00adpat\u00adi\u00adbil\u00adi\u00adty mode, pass\u00adwords and user\u00adnames are lim\u00adit\u00aded (and trun\u00adcat\u00aded, if longer) to 12 char\u00adac\u00adters. In order to user user\u00adnames or pass\u00adwords longer than 12 char\u00adac\u00adters, the client appli\u00adca\u00adtion has to use MQCSP<\/span> authen\u00adti\u00adca\u00adtion (dis\u00adable the Enable Com\u00adpat\u00adi\u00adbil\u00adi\u00adty mode check\u00adbox in the MQ<\/span> Explor\u00ader Userid con\u00adfig\u00adu\u00adra\u00adtion window).<\/p>\n

Operating system authentication<\/h1>\n

This authen\u00adti\u00adca\u00adtion method relies on the under\u00adly\u00ading oper\u00adat\u00ading sys\u00adtem\u2019s ser\u00advices to val\u00adi\u00addate users and pass\u00adwords. To use it, you just have to cre\u00adate an AUTHINFO<\/span> object of type IDPWOS<\/span>. The MQSC<\/span> com\u00admand is as follows:<\/p>\n

DEFINE<\/span> AUTHINFO<\/span>(USE<\/span>.OS<\/span>) AUTHTYPE<\/span>(IDPWOS<\/span>) CHCKLOCL<\/span>(OPTIONAL<\/span>) CHCKCLNT<\/span> (REQDADM<\/span>) REPLACE<\/span><\/p>\n

The CHCKLOCL<\/span> and CHCKCLNT<\/span> apply to local and client (remote) con\u00adnec\u00adtions, respec\u00adtive\u00adly. Both can take the fol\u00adlow\u00ading values:<\/p>\n

    \n
  • NONE<\/span>: No authen\u00adti\u00adca\u00adtion will be enforced or ver\u00adi\u00adfied. If any con\u00adnec\u00adtion attempt has authen\u00adti\u00adca\u00adtion infor\u00adma\u00adtion, it will be ignored.<\/li>\n
  • OPTIONAL<\/span>: No authen\u00adti\u00adca\u00adtion will be enforced. How\u00adev\u00ader, if a con\u00adnec\u00adtion attempt has authen\u00adti\u00adca\u00adtion infor\u00adma\u00adtion, the user must be valid, and if it is suc\u00adcess\u00adful, the spec\u00adi\u00adfied user has to have the cor\u00adrect per\u00admis\u00adsions to con\u00adnect to the queue manager.<\/li>\n
  • REQDADM<\/span>: Authen\u00adti\u00adca\u00adtion will be enforced if the user belongs to the MQ<\/span> admin\u00adis\u00adtra\u00adtion oper\u00adat\u00ading sys\u00adtem group (mqm in Win\u00addows, Lin\u00adux or UNIX<\/span>, OR<\/span> Admin\u00adis\u00adtra\u00adtors in Windows).<\/li>\n
  • REQUIRED<\/span>: Authen\u00adti\u00adca\u00adtion will be enforced all the time.<\/li>\n<\/ul>\n

    After defin\u00ading the AUTHINFO<\/span> for this type of authen\u00adti\u00adca\u00adtion, con\u00adfig\u00adure the queue man\u00adag\u00ader to use it:<\/p>\n

    ALTER<\/span> QMGR<\/span> CONNAUTH<\/span>(USE<\/span>.OS<\/span>)<\/p>\n

    To use it, either restart the queue man\u00adag\u00ader or issue the command:<\/p>\n

    REFRESH<\/span> SECURITY<\/span> TYPE<\/span>(CONNAUTH<\/span>)<\/p>\n

    LDAP<\/span> Authentication<\/h1>\n

    In the fol\u00adlow\u00ading exam\u00adple, I\u2019ll demon\u00adstrate con\u00adfig\u00adur\u00ading LDAP<\/span> authen\u00adti\u00adca\u00adtion against Microsoft\u00ad\u2019s Active Direc\u00adto\u00adry. It\u2019s a bit more com\u00adpli\u00adcat\u00aded than oth\u00ader LDAP<\/span> servers, but the com\u00admands can be eas\u00adi\u00adly adapt\u00aded to others.<\/p>\n

    Note: LDAP<\/span> authen\u00adti\u00adca\u00adtion is only sup\u00adport\u00aded from MQ<\/span> 8.0 onwards. Regard\u00adless, if you have MQ<\/span> 8.0 and want to use Active Direc\u00adto\u00adry, you have to raise the com\u00admand lev\u00adel of MQ<\/span> to 802. To do this, just fol\u00adlow the fol\u00adlow\u00ading steps:<\/p>\n

      \n
    1. Stop the queue manager:
      \nend\u00admqm MQ01<\/span><\/span><\/li>\n
    2. Raise the CMDLEVEL<\/span> of the queue manager
      \nstr\u00admqm \u2011e CMDLEVEL<\/span>=802 MQ01<\/span><\/span><\/li>\n
    3. Start the queue manager
      \nstr\u00admqm MQ01<\/span><\/span><\/li>\n<\/ol>\n

      So, just define an AUTHINFO<\/span> object of type IDPWLDAP<\/span>.<\/p>\n

      DEFINE<\/span> AUTHINFO<\/span>(USE<\/span>.LDAP<\/span>) AUTHTYPE<\/span>(IDPWLDAP<\/span>) DESCR<\/span>(\u2018LDAP<\/span> Authen\u00adti\u00adca\u00adtion\u2019) CHCKCLNT<\/span>(REQUIRED<\/span>) CHCKLOCL<\/span>(NONE<\/span>) ADOPTCTX<\/span>(YES<\/span>) FAILDLAY<\/span>(10) LDAPUSER<\/span>(\u2018tests.mq\u2019) LDAPPWD<\/span>(\u2018Tm@1234\u2019) CONNAME<\/span>(\u2018adserver\u2019) SECCOMM<\/span>(YES<\/span>) SHORTUSR<\/span>(\u2018sn\u2019) CLASSUSR<\/span>(\u2018user\u2019) BASEDNU<\/span>(\u2018ou=users,dc=addomain, dc=local\u2019) USRFIELD<\/span>(\u2018sAMAccountName\u2019) GRPFIELD<\/span>(\u2018cn\u2019) CLASSGRP<\/span>(\u2018group\u2019) BASEDNG<\/span>(\u2018ou=groups,ou=users,dc=addomain, dc=local\u2019) FINDGRP<\/span>(\u2018member\u2019) AUTHORMD<\/span>(SEARCHGRP<\/span>) REPLACE<\/span><\/p>\n

      As you can see, there are lots more options in the IDPWLDAP<\/span> authen\u00adti\u00adca\u00adtion type. Lets go through all these parameters:<\/p>\n