The MQCSP structure enables the authorization service to authenticate a
user ID and password from the client. We can specify the MQCSP
connection security parameters structure on an MQCONNX call. Prior to
Websphere MQ version 8 the passwords from client to the queue manager
were sent across the network in plain text if SSL/TLS encryption is not
used which is insecure. MQ version 8 provides options to send passwords
that are included in the MQCSP structure protected by using websphere MQ
functionality or by using SSL/TLS encryption.
This password protection mechanism is applicable to MQ version 8 queue managers, MQI C clients, java & JMS clients and .NET clients. Password protection is used when all of the following conditions are met:
-Both ends of the connection are using WebSphere MQ version 8.0.
-The channel is not using SSL/TLS encryption.
-If the client is WebSphere MQ Explorer and user identification compatibility mode is not enabled, which is not the default. This condition is applicable only to WebSphere MQ Explorer.
-If the client is a Java or JMS application and the useM
MQ version 8 provides supports 2 password protection algorithms
-"null" algorithm which sends password as plain text which is seen in all MQ versions
-"real" password protection algorithm which uses Triple DES(3DES) based encryption.
By default, passwords will automatically be protected whenever both ends of the client/server connection are running MQ 8.0 or higher. MQ version 8 provides control over configuration settings via "Pas
COMPATIBLE
This is the default value. When communicating with MQ 8.0 we must be negotiating a real password protection algorithm. When using MQ 7.5 or lower versions, null password protection algorithm can be used for interoperability purpose.
ALWAYS
When communicating with MQ 8.0 we must be negotiating a real password protection algorithm. With this method we cannot communicate with MQ 7.5 or lower versions.
OPTIONAL
Any mutually-supported password protection algorithm is allowed.
Following link provides possible forms of connection for each attribute of PasswordProtection
htt
Password protection mechanism doesn't provide wide variety of encryption algorithms as in SSL/TLS encryption. With SSL/TLS encryption being used, the user has option of choosing the encryption type. SSL encryption is still the preferred method over WebSphere MQ password protection, especially when the network between the client and queue manager is untrusted, as SSL/TLS encryption is more secure. Password protection mechanism is suitable for the customers who don't use SSL as this overheads with certificate management.
Connection authentication using MQCSP requires changes to be done on both client and the server. Application changes with connection authentication
MQI : For an application using MQI to connect to queue manger, MQCONNX call and MQCSP structure should be used. Sample C fragment code for connection authentication
char *QMName = "queue_manager";
char *Userid = "user_id";
char *Password = "password";
MQCNO cno = {MQCNO_DEFAULT};
MQCSP csp = {MQCSP_DEFAULT};
cno
cno.Version = MQCNO_VERSION_5;
csp.
csp.CSPuser IDPtr = Userid;
csp.CSPuser IDLength = strlen(Userid);
csp.CSPPasswordPtr = Password;
csp.
MQCONNX(QMName, &cno, &Hcon, &CompCode, &CReason);
Object-oriented languages: such as the Java classes, properties are set before connecting to the queue manager. Java code fragment for connection authentication
String QMName = "queue_manager";
String Userid = "user_id";
String Password = "password";
Hashtable h = new Hashtable();
h.pu
h.pu
h.pu
MQQueueManager qMgr = new MQQu
or the MQEnvironment property class can also be used
String QMName = "queue_manager";
String Userid = "user_id";
String Password = "password";
MQE
MQEn
MQEn
MQQueueManager qMgr = new MQQu
JMS & XMS: Connection methods take user id and password parameters
conn
Information on configuring the server queue manager to check authenticity of the supplied user id and password provided by client application can be seen here
htt
With above changes on both client and the server, the password will be sent protected if both ends of connection are using MQ version 8.
This password protection mechanism is applicable to MQ version 8 queue managers, MQI C clients, java & JMS clients and .NET clients. Password protection is used when all of the following conditions are met:
-Both ends of the connection are using WebSphere MQ version 8.0.
-The channel is not using SSL/TLS encryption.
-If the client is WebSphere MQ Explorer and user identification compatibility mode is not enabled, which is not the default. This condition is applicable only to WebSphere MQ Explorer.
-If the client is a Java or JMS application and the useM
MQ version 8 provides supports 2 password protection algorithms
-"null" algorithm which sends password as plain text which is seen in all MQ versions
-"real" password protection algorithm which uses Triple DES(3DES) based encryption.
By default, passwords will automatically be protected whenever both ends of the client/server connection are running MQ 8.0 or higher. MQ version 8 provides control over configuration settings via "Pas
COMPATIBLE
This is the default value. When communicating with MQ 8.0 we must be negotiating a real password protection algorithm. When using MQ 7.5 or lower versions, null password protection algorithm can be used for interoperability purpose.
ALWAYS
When communicating with MQ 8.0 we must be negotiating a real password protection algorithm. With this method we cannot communicate with MQ 7.5 or lower versions.
OPTIONAL
Any mutually-supported password protection algorithm is allowed.
Following link provides possible forms of connection for each attribute of PasswordProtection
htt
Password protection mechanism doesn't provide wide variety of encryption algorithms as in SSL/TLS encryption. With SSL/TLS encryption being used, the user has option of choosing the encryption type. SSL encryption is still the preferred method over WebSphere MQ password protection, especially when the network between the client and queue manager is untrusted, as SSL/TLS encryption is more secure. Password protection mechanism is suitable for the customers who don't use SSL as this overheads with certificate management.
Connection authentication using MQCSP requires changes to be done on both client and the server. Application changes with connection authentication
MQI : For an application using MQI to connect to queue manger, MQCONNX call and MQCSP structure should be used. Sample C fragment code for connection authentication
char *QMName = "queue_manager";
char *Userid = "user_id";
char *Password = "password";
MQCNO cno = {MQCNO_DEFAULT};
MQCSP csp = {MQCSP_DEFAULT};
cno
cno.Version = MQCNO_VERSION_5;
csp.
csp.CSPuser IDPtr = Userid;
csp.CSPuser IDLength = strlen(Userid);
csp.CSPPasswordPtr = Password;
csp.
MQCONNX(QMName, &cno, &Hcon, &CompCode, &CReason);
Object-oriented languages: such as the Java classes, properties are set before connecting to the queue manager. Java code fragment for connection authentication
String QMName = "queue_manager";
String Userid = "user_id";
String Password = "password";
Hashtable h = new Hashtable();
h.pu
h.pu
h.pu
MQQueueManager qMgr = new MQQu
or the MQEnvironment property class can also be used
String QMName = "queue_manager";
String Userid = "user_id";
String Password = "password";
MQE
MQEn
MQEn
MQQueueManager qMgr = new MQQu
JMS & XMS: Connection methods take user id and password parameters
conn
Information on configuring the server queue manager to check authenticity of the supplied user id and password provided by client application can be seen here
htt
With above changes on both client and the server, the password will be sent protected if both ends of connection are using MQ version 8.
Comments
Post a Comment