Connection authentication with the Java client

Connection authentication is a feature in IBM® MQ that allows the queue manager to be configured, to authenticate applications, using a provided user ID and password. When the application is a Java application using client bindings, there are two modes in which this can be run.

Compatibility mode

In releases prior to IBM MQ 8.0, the Java client could send a user ID and password across the client-connection channel to the server-connection channel, and have them provided to a security exit in the RemoteUserIdentifier and RemotePassword fields of the MQCD structure. In compatibility mode, this behavior is retained.

You might use this mode in combination with connection authentication, and migrate away from any security exits that were previously used to do the same job.

You must use ADOPTCTX(YES) or have another method, for example a CHLAUTH rule based on an SSL/TLS certificate, to set the running MCAUSER when using compatibility mode, as in this mode, the client side user ID is not sent to the queue manager.

Compatibility mode is the default setting.

MQCSP authentication mode

In this mode, the client side user ID is sent as well as the user ID and password to be authenticated, so you are able to use ADOPTCTX(NO). The user ID and password are available to a server-connection security exit in the MQCSP structure provided in the MQCXP structure.

This mode of operation can be enabled on a connection-by-connection basis or globally:
  • In IBM MQ classes for Java, set the property MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY to true in the properties hashtable passed to the com.ibm.mq.MQQueueManager constructor.
  • In IBM MQ classes for JMS, set the property JmsConstants.USER_AUTHENTICATION_MQCSP to true, on the appropriate connection factory prior to creating the connection.
  • Globally, set the system property com.ibm.mq.cfg.jmqi.useMQCSPauthentication to a value indicating true, for example, by adding -Dcom.ibm.mq.cfg.jmqi.useMQCSPauthentication=Y to the command line.

Enabling MQCSP Authentication mode in IBM MQ Explorer

The MQ Explorer is a Java application, so these two modes are applicable to it as well.

As for other Java applications, compatibility mode is the default.

On panels where user identification is provided, there is a check box to enable or disable compatibility mode.

By default, this check box is enabled. To use MQCSP Authentication, remove the check mark from this box.