Connection authentication with the Java client

Connection authentication is a feature in IBM® MQ that allows the queue manager to be configured to authenticate applications, using a provided user ID and password. When the application is a Java application that is using client bindings, connection authentication can be run in compatibility mode or MQCSP authentication mode.

Compatibility mode

Before IBM MQ 8.0, the Java client could send a user ID and password across the client-connection channel to the server-connection channel, and have them provided to a security exit in the RemoteUserIdentifier and RemotePassword fields of the MQCD structure. In compatibility mode, this behavior is retained.

You might use this mode in combination with connection authentication, and migrate away from any security exits that were previously used to do the same job.

You must use ADOPTCTX(YES) or have another method, for example a CHLAUTH rule based on a TLS certificate, to set the running MCAUSER when you are using compatibility mode, as in this mode, the client-side user ID is not sent to the queue manager.

The compatibility mode of operation can be enabled on a connection-by-connection basis or globally:
  • In IBM MQ classes for Java, set the property MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY to false in the properties hashtable that is passed to the com.ibm.mq.MQQueueManager constructor.
  • In IBM MQ classes for JMS, set the property JmsConstants.USER_AUTHENTICATION_MQCSP to false, on the appropriate connection factory before creating the connection.
  • Globally, specify the Java system property -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=false on the command line when starting your application, as shown in the following example:
    java -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=false application_name
Compatibility mode is the default setting.

MQCSP authentication mode

In this mode, the client-side user ID is sent as well as the user ID and password to be authenticated, so you are able to use ADOPTCTX(NO). The user ID and password are available to a server-connection security exit in the MQCSP structure that is provided in the MQCXP structure.

This mode of operation can be enabled on a connection-by-connection basis or globally:
  • In IBM MQ classes for Java, set the property MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY to true in the properties hashtable that is passed to the com.ibm.mq.MQQueueManager constructor.
  • In IBM MQ classes for JMS, set the property JmsConstants.USER_AUTHENTICATION_MQCSP to true, on the appropriate connection factory before creating the connection.
  • Globally, set the system property com.ibm.mq.cfg.jmqi.useMQCSPauthentication to a value indicating true, for example, by adding -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=Y to the command line.

Choosing authentication mode in IBM MQ Explorer

The IBM MQ Explorer is a Java application, so these two modes, compatibility mode and MQCSP authentication mode, are applicable to it as well.

[V9.0.4 Oct 2017]From IBM MQ 9.0.4, MQCSP authentication mode is the default. Before IBM MQ 9.0.4, compatibility mode is the default.

On panels where user identification is provided, there is a check box to enable or disable compatibility mode:
  • [V9.0.4 Oct 2017]From IBM MQ 9.0.4, by default, this check box is not selected. To use compatibility mode, select this check box.
  • Before IBM MQ 9.0.4, by default, this check box is enabled. To use MQCSP authentication, clear the check box.