Security exits can play a role in access control.
Every instance of a channel that is current has an associated channel definition structure, MQCD. The initial values of the fields in MQCD are determined by the channel definition that is created by a WebSphere MQ administrator. In particular, the initial value of one of the fields, MCAUserIdentifier, is determined by the value of the MCAUSER parameter on the DEFINE CHANNEL command, or by the equivalent to MCAUSER if the channel definition is created in another way.
The MQCD structure is passed to a channel exit program when it is called by an MCA. When a security exit is called by an MCA, the security exit can change the value of MCAUserIdentifier, replacing any value that was specified in the channel definition.
On i5/OS(TM), UNIX(R) systems, and Windows(R) systems, unless the value of MCAUserIdentifier is blank, the queue manager uses the value of MCAUserIdentifier as the user ID for authority checks when an MCA attempts to access the queue manager's resources after it has connected to the queue manager. If the value of MCAUserIdentifier is blank, the queue manager uses the default user ID of the MCA instead. This applies only to receiving MCAs and server connection MCAs, and assumes that the PUTAUT parameter is set to DEF in the channel definition. The queue manager always uses the default user ID of a sending MCA for authority checks, even if the value of MCAUserIdentifier is not blank.
On z/OS(R), the queue manager might use the value of MCAUserIdentifier for authority checks, provided it is not blank. For receiving MCAs and server connection MCAs, whether the queue manager uses the value of MCAUserIdentifier for authority checks depends on:
For sending MCAs, it depends on:
The user ID that a security exit stores in MCAUserIdentifier can be acquired in various ways. Here are some examples:
If the user ID that flows from the client system is entering a new security domain and is not valid on the server system, the security exit can substitute the user ID for one that is valid and store the substituted user ID in MCAUserIdentifier.
On a message channel, a security exit called by the sending MCA can send the user ID under which the sending MCA is running. A security exit called by the receiving MCA can then store the user ID in MCAUserIdentifier. Similarly, on an MQI channel, a security exit at the client end of the channel can send the user ID associated with the WebSphere MQ client application. A security exit at the server end of the channel can then store the user ID in MCAUserIdentifier. As in the previous example, if the user ID is not valid on the target system, the security exit can substitute the user ID for one that is valid and store the substituted user ID in MCAUserIdentifier.
If a digital certificate is received as part of the identification and authentication service, a security exit can map the Distinguished Name in the certificate to a user ID that is valid on the target system. It can then store the user ID in MCAUserIdentifier.
For more information about the MCAUserIdentifier field, the channel definition structure, MQCD, and the channel exit parameter structure MQCXP, see WebSphere MQ Intercommunication. For more information about how the MCAUserIdentifier field is used for authority checks on z/OS, see the WebSphere MQ for z/OS System Setup Guide. For more information about the user ID that flows from a client system on an MQI channel, see WebSphere MQ Clients.
On WebSphere(R) MQ client connections, security exits can be used to modify or create the MQCSP structure used in Object Authority Manager (OAM) user authentication. This is described in "Channel-exit programs", in the WebSphere MQ: Intercommunication manual.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
lu0secacc |