Can MQIPT be configured to authenticate the credentials set by MQ client for a specific connection

Question

Scenario: MQIPT is used in between a MQ client and MQ server version 8.

Is it possible to validate the credentials sent along with the channel connection at MQIPT. I checked the documentation and it seems it cannot be done unless some kind of security exit is written for it.

Just wanted to get views on this, as to how it can be achived if at all possible.

Thank you.

Answer 1

The MQIPT com.ibm.mq.ipt.exit.SecurityExit and com.ibm.mq.ipt.exit.CertificateExit classes do not expose the username and password information for a client channel. Below is the documentation from IBM on these two types of exits.

The com.ibm.mq.ipt.exit.SecurityExit class is documented in the IBM v9.0 Knowledge center with the following information:

public SecurityExitResponse validate(IPTTrace)
The following properties are available:

• listener port
• destination
• destination port
• timeout
• client IP address
• client port address
• channel name
• queue manager name

The validate method will be called by MQIPT when it receives a connection request to validate. The channel name and queue manager name will not be available if the SSLProxyMode property has been enabled, as this feature is only used to tunnel SSL/TLS data and therefore the data usually obtained from the initial data flow will be unreadable.

The com.ibm.mq.ipt.exit.CertificateExit class is is documented in the IBM v9.0 Knowledge center with the following information:

Supported methods for obtaining properties:
public int getListenerPort()

retrieves the route listener port - as defined by the ListenerPort property

public String getDestination()

retrieves the destination address - as defined by the Destination property

public int getDestinationPort()

retrieves the destination listener port address - as defined by the DestinationPort property

public String getClientIPAddress()

retrieves the IP address of the client making the connection request

public int getClientPortAddress()

retrieves the port address used by the client making the connection request

public boolean isSSLClient()

used to determine if the exit is being called as an SSL/TLS client or SSL/TLS server. If this returns true, the exit is on the client side of the connection, validating the certificate obtained from the server. If this returns false, the exit is on the server side of the connection, validating the certificate sent by the client. It is valid for a route to act as both an SSL/TLS server and an SSL/TLS client, decrypting and re-encrypting traffic. In this situation, although there is a single exit class, some instances of the class will be called as clients and some as servers. You can use isSSLClient to determine the situation for a given instance.

public int getConnThreadID()

used to retrieve the ID of the worker thread that is handling the connection request, which can be useful for debugging.

public String getChannelName()

retrieves the IBM® MQ channel name that is used in the connection request. This is available only when the incoming request is not using SSL/TLS and MQIPT is acting as an SSL/TLS client.

public String getQMName()

retrieves the name of the IBM MQ queue manager used in the connection request. This is available only when the client request is not using SSL/TLS and MQIPT is acting as an SSL/TLS client.

public boolean getTimedout()

used by the exit to determine if the timeout has expired.

public IPTCertificate getCertificate()

retrieves the SSL/TLS certificate that needs to be validated.

public String getExitData()

retrieves the exit data, as defined by the SSLExitData property.

public String getExitName()

retrieves the exit name, as defined by the SSLExitName property.