When a client tries to connect to IBM MQ, Authentication and Authorization works at 3 levels:
1. Connection Authentication [Happens First]
2. Channel Authentication [Second level of authentication]
3. Object Authorization [Whether the supplied user has access to the specified object e.g. queue/topic/channel etc.]
STEPS TO Enable Connection Authentication
First, verify whether connection authentication is enabled using below command:
DIS QMGR CONNAUTH
If CONNAUTH is blank, then it is disabled. Below are the steps to enable CONNAUTH:
Step 1.
Display the default AUTHINFO objects of the Queue Manager. Execute DISPLAY AUTHINFO(*) to get the possible values.
DISPLAY AUTHINFO(*)
1 : DISPLAY AUTHINFO()
AMQ8566I: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP)
AUTHTYPE(IDPWLDAP)
AMQ8566I: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS)
AMQ8566I: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.OCSP)
AUTHTYPE(OCSP)
AMQ8566I: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.CRLLDAP)
AUTHTYPE(CRLLDAP)
Most Common AUTHINFO used in the industry are as below
1. SYSTEM.DEFAULT.AUTHINFO.IDPWOS
– This authenticates the incoming user with that of the local OS.
2. SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP
– This is for authentication using LDAP
Step 2.
Associate the CONNAUTH attribute of the Queue Manager to use any of the above AUTHINFO using either of the below commands
ALTER QMGR CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
OR
ALTER QMGR CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP)
Step 3.
Let’s use local OS authentication. Use below command to enable that.
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKLOCL(REQUIRED)
REFRESH SECURITY
Validate the configuration
To connect successfully, first set the user ID using below command. The user ID should exist in the Queue Manager host, and should have the required permissions to the queue object to put messages
export MQSAMP_USER_ID=<userid>
Note : After connection auth is setup, you cannot even connect using runmqsc without credentials. Use below command to connect and specify credentials of the user in the queue manager host.
runmqsc -u <userid> <qmgr>
Example : runmqsc -u mqm qmgr1
If you don’t specify the user while putting messages to a queue in the queue manager, below error message is displayed:
06/19/2020 12:26:31 AM – Process(14218.11) User(mqm) Program(amqzlaa0) Host(control.example.com) Installation(Installation1) VRMF(9.1.0.0) QMgr(qmgr1) Time(2020-06-19T04:26:31.762Z) CommentInsert1(amqsputc)
AMQ5540E: Application ‘amqsputc’ did not supply a user ID and password EXPLANATION: The queue manager is configured to require a user ID and password, but none was supplied.
ACTION: Ensure that the application provides a valid user ID and password, or change the queue manager configuration to OPTIONAL to allow applications to connect which have not supplied a user ID and password.
This shows that Connection Authentication has been setup and is working properly.