Reputation: 35
How to use the userId in MQCSP for IBM MQ connection authentication in C client
I have a C client to connect to IBM MQ, and I fillin the userid and password in MQCSP as following:
MQCNO Connect_options = {MQCNO_DEFAULT};
MQCSP csp = {MQCSP_DEFAULT};
Connect_options.SecurityParmsPtr = &csp;
Connect_options.Version = MQCNO_VERSION_5;
csp.AuthenticationType = MQCSP_AUTH_USER_ID_AND_PWD;
csp.CSPUserIdPtr = "user2";
csp.CSPUserIdLength = strlen("user2");
csp.CSPPasswordPtr = "password";
csp.CSPPasswordLength = strlen((char*)"password");
and then call MQCONNX() to connect the MQ server, run the client with the user "user1", but the server always authenticate the user that running the application "user1".
I setup the MQ server as following:
ALTER QMGR CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
DEFINE AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) +
AUTHTYPE(IDPWOS) +
FAILDLAY(10) +
CHCKLOCL(OPTIONAL) +
CHCKCLNT(REQUIRED) +
ADOPTCTX(YES)
REFRESH SECURITY TYPE(CONNAUTH)
define qlocal(HDPARLOCALQUEUE01) replace
define channel(HDPARCHANNEL) +
chltype(SVRCONN) +
trptype(TCP) +
MCAUSER(' ')
alter channel(HDPARCHANNEL) +
chltype(SVRCONN) +
MCAUSER(' ')
ALTER QMGR CHLAUTH(DISABLED)
How can I have the MQ server authenticate the user that provided in the MQCSP?
I have add "ChlauthEarlyAdopt=Y" in qm.ini
Regards,
Upvotes: 2
Views: 4638
Answers (1)
Reputation: 10652
In order for the IBM MQ queue manager to use the ID you pass in the MQCSP structure for authorization purposes you need to have the QMGR CONNAUTH's AUTHINFO object configured with ADOPTCTX(YES). In your example you are attempting to do this, but it would fail because the object SYSTEM.DEFAULT.AUTHINFO.IDPWOS exists by default.
If you want to update an existing object you can not use DEFINE to change it unless you accompany this with the REPLACE keyword, or you can use the ALTER command to accomplish this.
I would also recommended to define your own AUTHINFO object with the parameters you want, this will prevent future upgrades from overwriting any non-default settings.
For example:
DEFINE AUTHINFO(MY.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKLOCL(OPTIONAL) CHCKCLNT(REQUIRED) ADOPTCTX(YES) LIKE(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
ALTER QMGR CONNAUTH(MY.AUTHINFO.IDPWOS)
REFRESH SECURITY TYPE(CONNAUTH)
I also see you disabled CHLAUTH, normally the default CHLAUTH rules will not cause any problem, the would only prevent two things:
You can not connect to any channel that begins with
SYSTEM, you are not doing this.You can not connect as a MQ Admin user such as
mqmor equivalent. I see your example showsuser2, if this is a user in themqmgroup then you would be blocked.@MoragHughson has written a nice IBM developerWorks MQdev Blog titled "Getting going without turning off MQ Security" that explains how to keep this security enabled and would be a good starting point.
Upvotes: 3
Related Questions
- How to pass UserName & Password in IBMMQ Client Message using .NET or C++ Program
- IBM MQ authentication
- Strange problem with authentication on IBMMQ, it takes the running user ID
- Can MQIPT be configured to authenticate the credentials set by MQ client for a specific connection
- How to set NOT CURRENT Windows user login/pwd when connecting to MQ server?
- How to alter ibm mq qm to connect with user and pass
- MQ client connect to MQ server
- WebSphere MQ C API Sending client ID with a client connection
- How MCA user id authorizes a client user id using MQ Server connection channels
- WMQ Security Exit UserID/PWD passing issue