Authentication in MQ - Abstract
Authentication in MQ - Abstract
Authentication in MQ - Abstract
Morag Hughson
Authentication in MQ - Abstract
Over the last few releases of IBM MQ, there have been a number of security
N features added that provide authentication features. This session illustrates all
those features and how they work together. This session will cover the use of
SSL/TLS on channels (and some changes in this area in MQ V8); the security exit
facility which is still available although some of the common uses for it are now built
O into the MQ product; the use of CHLAUTH rules (added in MQ V7.1 and enhanced
in MQ V8) and the MQ V8 feature Connection Authentication, which allows the
validation of user ID and password from an application at connect time.
Authentication - Applications
O/S Logon
Useful for locally bound applications
Not to be relied upon for client applications!
Connection Authentication using MQCONNX
Introduced in V8
Agenda
We’ll take a little time to remind ourselves what each of these features is and how it
N works. Then we’ll look at how these features work together and how the
authentication features ultimately can set the user ID used for authorization checks.
MQ Application
QM1 QM2
Client
Application
Transmission MCA Queues
Queue
Application
Channels
Queues
MQ Application Transmission
Queue
Local
Identification
O When an MQ application connects remotely to a queue manager it can assert an identity
across the network connection to the queue manager. This identity could be anything and so
should not be trusted without some form of queue manager side authentication.
Authentication
Authentication is the way in which a channel ensures that the other end of the channel is who
T they say they are. Channels can make use of SSL/TLS to authenticate a digital certificate sent
by the partner. In WebSphere MQ V7.1 Channel Authentication Records can be used to do
many of the jobs a security exit can do, such as allowing or blocking a channel based on IP
address, Certificate DN, Remote Queue Manager Name or Client User ID.
Once a remote partner has been authenticated, Channel Authentication Records or a security
exit can also set the identity that this channel will use for all access control checks.
E Confidentiality
In an ideal environment all channels would be running inside the enterprise with good physical
security. However, often there will be cross enterprise channels or channels running on
networks where physical security can not be guaranteed. In those cases it is worth
considering adding some level of encryption to the data flow. This can either be done in
channel exits or by using SSL/TLS on the channels.
S
Security Exits
Many Vendor exits available
BP A BP B
New in
V8
BP A BP B
Message
Channel
Website A’s
website-a.com Digital Certificate
CA Sig
CA Sig
website-c.com
Website C's
Digital Certificate
CA Sig
Message
SSL Peer
QM Name
Client User
Address/Hostname
IP
SSL Peer Name Restrict
Remote QMgr Name By
Client User ID
Mapped
Can add IP address/Hostname
Restrict where an SSL Certificate
can be used from SSL Peer X X 8
Specific IP address/Hostname
QM Name 8
Restrict where a queue manager
or client user ID can come from Client User 8
Specific IP address/Hostname IP Address
Internal CAs
Less rigid
May give out certs exactly as requested
May end up with clashes
O This is especially important if you have more than one Certificate Authority (CA) certificate in
your key repository which you may be more likely to do with the introduction of multiple
certificates for one queue manager which was a new feature in MQ V8.
However, since we now accept certificates which come from two different Certificate Authorities
(CAs) we can run foul of another issue.
T One of the benefits of Externals CAs is that they guarantee not to issue the certificates with the
same DN as another certificate that they have already issued. However, an internal CA may not be
so diligent. Some internal CAs may simply accept what the user requests as their DN, so our rogue
could obtain a certificate with non-unique DN from such a CA.
The only way to solve this issue in the past was to use a security exit, since security exits are
presented with both the issuer’s and subject’s Distinguished Name. However, we are trying to get
E away from people having to write exits for common security issues, and this very much falls into that
category.
In MQ V8, we can solve this issue by using a new attribute on CHLAUTH rules which matches the
issuer’s DN – SSLCERTI. Our CHLAUTH rules can now be fully qualified to use both SSLPEER (the
subject’s DN) and SSLCERTI (the issuer’s DN).
S
5 IP address
Within SSL Peer Name matching 6 Hostname One IP address can have multiple
hostnames
Most specific substring is
matched
2 T= Title
CN=Morag
Hughson
Match 5 L= Locality
7 C= Country
“Our
“Our
“OurBusiness
internal
Administrators
cluster
Partners
doesn’t
connect
mustuse
all
in connect
using
SSL, but
MQ using
we
Explorer,
must
SSL,ensure
but
so we
don’t
only
willuse
map
the
“We must make sure our system is completely locked down”
correct
SSL.queue
their
We access
will
managers
mapfrom
theircan
the
access
connect
certificate
by IP
into
DNs”
Address”
the cluster”
MQ Application
QM1 QM2
Client
Application
Transmission MCA Queues
Queue
Application
Channels
Queues
MQ Application Transmission
Queue
Local
MQCONNX
Connection Security Parameters
User ID and Password
O Identification
When an MQ application connects to the queue manager the O/S is interrogated to
discover the user ID that it is running under. This is used as the identity. We can
see this user ID in the context information of a message.
T Authentication
A locally bound MQ application is running against MQ under an user ID that the O/S
has provided and which has been logged onto prior to running the application. This
E may be enough authentication for a locally bound application for your business
purposes, or you may wish more.
csp.AuthenticationType = MQCSP_AUTH_USER_ID_AND_PWD;
csp.CSPUserIdPtr = "hughson";
csp.CSPUserIdLength = 7; /* Max: MQ_CLIENT_USER_ID_LENGTH */
csp.CSPPasswordPtr = "passw0rd";
csp.CSPPasswordLength = 8; /* Max: MQ_CSP_PASSWORD_LENGTH */
MQRC_NONE (0)
QMgr
Application (User2)
On z/OS passphrases
MQCONNX can be used
User1 + pwd1
O/S User
Repository
(z/OS + Dist)
User ID set by ADOPTCTX(YES) The queue manager wide setting to adopt the
password authenticated user ID as the user to be
used will over-ride the above.
Q1 Authority
Checks
MCAUSER set on SVRCONN A handy trick to ensure that the client flowed ID is never used
channel definition is to define the MCAUSER as ‘rubbish’ and then anything that
is not set appropriately by one of the next methods cannot
connect.
MCAUSER set by ADOPTCTX(YES) The queue manager wide setting to adopt the password
authenticated user ID as the MCAUSER will over-ride either
of the above.
MCAUSER set by CHLAUTH rule To allow more granular control of MCAUSER setting, rather
than relying on the above queue manager wide setting, you
can of course use CHLAUTH rules
MCAUSER set by Security Exit Although CHLAUTH gets the final say on whether a
connection is blocked (security exit not called in that case),
the security exit does get called with the MCAUSER
CHLAUTH has decided upon, and can change it.
Application
MQOPEN User Data (MQPUT) Queues
MQGET User Data (MQGET)
IBMUSER
Channel MCAUSER = CLNTUSR
Client Channel
Digital Certificate for Authentication
Set MCAUSER based on DN CHLAUTH Rules
Fully qualified DN checking SET CHLAUTH(*) TYPE(SSLPEERMAP)
SSLPEER('O=IBM') SSLCERTI('CN=MQ CA')
Address restrictor for extra proof ADDRESS('9.20.21.22')
MCAUSER('IBMUSER')
Application
MQOPEN User Data (MQPUT) Queues
MQGET User Data (MQGET)
Channel MCAUSER = USR123
CLNTUSR
Client Channel
Certificates and Password Validation
CHLAUTH Rules
SET CHLAUTH(*) TYPE(SSLPEERMAP)
Set MCAUSER based on
SSLPEER('O=IBM') SSLCERTI('CN=MQ CA')
Either DN as before ADDRESS('9.20.21.22')
Or validated user ID USERSRC(CHANNEL)
your needs
*SYSTEM
keystores Dist SHA-2
on z
V7.5
V8
on IBM i
GSKit
MQCSP on Win V7.1
Channel Exits V7.0.1
V7
Authorization
provided from V6
day 1
V5.3
V5.2
V5 V5.1
V2.1
V1.1
V2 IBM MQ
V1 IBM MQ Advanced
IBM Message Security
WebSphere MQ
IBM MQSeries
1990s 2000s 2010s