Planning authentication for a client application

You can apply authentication controls at four levels: at the communications level, in security exits, with channel authentication records, and in terms of the identification that is passed to a security exit.

There are four levels of security to consider. The diagram shows an IBM® MQ MQI client that is connected to a server. Security is applied at four levels, as described in the following text. MCA is a Message Channel Agent.
Figure 1. Security in a client/server connection
The diagram shows an IBM MQ MQI client that is connected to a server. Security is applied at four levels, as described in the following text.
  1. Communications level

    See arrow 1. To implement security at the communications level, use TLS. For more information, see Cryptographic security protocols: TLS

  2. Channel authentication records

    See arrows 2 & 3. Authentication can be controlled by using the IP address or TLS distinguished names at the security level. A user ID can also be blocked or an asserted user ID can be mapped to a valid user ID. A full description is given in Channel authentication records.

  3. Connection authentication

    See arrow 3. The client sends a user ID and a password, or an authentication token. For more information, see Connection authentication: Configuration.

  4. Channel security exits

    See arrow 2. The channel security exits for client to server communication can work in the same way as for server to server communication. A protocol independent pair of exits can be written to provide mutual authentication of both the client and the server. A full description is given in Channel security exit programs.

  5. Identification that is passed to a channel security exit

    See arrow 3. In client to server communication, the channel security exits do not have to operate as a pair. The exit on the IBM MQ client side can be omitted. In this case, the user ID is placed in the channel descriptor (MQCD) and the server-side security exit can alter it, if required.

    IBM MQ MQI clients also send extra information to assist identification.
    • The user ID that is passed to the server is the currently logged-on user ID on the client.
    • The security ID of the currently logged-on user.

    The values of the user ID and, if available, the security ID, can be used by the server security exit to establish the identity of the IBM MQ MQI client.

From IBM MQ 8.0, you can send passwords that are included in the MQCSP structure.

[AIX][MQ 9.3.4 Oct 2023][Linux]From IBM MQ 9.3.4, IBM MQ MQI clients connecting to IBM MQ queue managers running on AIX® or Linux® systems can also send authentication tokens in the MQCSP structure.

Warning: In some cases, the password or authentication token in an MQCSP structure for a client application is sent across the network in plain text. To ensure that client application passwords and authentication tokens are protected appropriately, see MQCSP password protection.