MQ Authenticate User Security Exit Overview
The MQ Authenticate User Security Exit v3.5.0 is a solution that allows a company to fully authenticate a user who is accessing an IBM MQ resource.
- MQAUSX can authenticate the user's UserID and Password (and possibly Domain Name) against:
- Server's native OS system (Local OS)
- Remote LDAP server
- Microsoft's Active Directory
- Quest Authentication Services* (QAS) aka Vintela Authentication Services* (VAS)
- Centrify's DirectControl*
- PAM* (Pluggable Authentication Module)
- An encrypted MQAUSX FBA file.
The security exit will operate with IBM MQ v7.1, v7.5, v8.0, v9.0, v9.1, v9.2, v9.3 and v9.4 in Windows, IBM i (OS/400), Unix and Linux environments. It works with Server Connection, Client Connection, Sender, Receiver, Server, Requester, Cluster-Sender and Cluster-Receiver channels of IBM MQ queue manager.
On AIX, HP-UX, Linux, Solaris and Windows, MQAUSX can be configured and used with a non-default installation of MQ in a multi-install MQ environment.
The MQ Authenticate User Security Exit solution is comprised of 2 components: client-side security exit and server-side security exit.
- MQAUSX is 4 products in 1:
- If the client application is configured with the client-side security exit then the user credentials are encrypted and sent to the remote queue manager. This is the best level of security.
- If the client application is not configured with the client-side security exit and both the client-side AND server-side are at MQ V8 then MQ V8 will encrypt the user credentials as they flow from the client application to the queue manager.
- If the client application is not configured with the client-side security exit then the user credentials are sent in plain text to the remote queue manager. This feature is available for Java/JMS, Java and C# DotNet client applications. For native applications (i.e. C/C++), then the application must use and populate the MQCSP structure with the UserID and Password.
- Using MQAUSX with No Client-side Security Exit - Part 1 (coding examples)
- Using MQAUSX with No Client-side Security Exit - Part 2 (configuring tools like MQ Explorer, SupportPac MO71, etc..)
- If the MQAdmin sets the MQAUSX IniFile parameter NoAuth to Y then it functions just like MQSSX. MQSSX does not authenticate. It filters the incoming connection based on UserID, IP address and/or SSL DN.
Client-Side Security Exit Summary
- The client-side security exit is available in 5 forms:
- Windows DLL (both 32-bit & 64-bit)
- Windows DLL for managed .NET (both 32-bit & 64-bit)
- Java JAR
- Shared library for AIX, HP-UX, Linux and Solaris
- IBM i (OS/400) exit module
- The client-side security exit has been tested against the following MQ client programs:
- IBM's MQ Explorer
- SupportPac MO71 (MQMon)
- IBM's WBIMB Eclipse Tool Kit
- WebSphere Message Broker Explorer V8.0 or higher
- IBM DataPower
- BMC Middleware Management - Administration (BMM Admin)
- BMC's Administration for IBM MQ (AppWatch)
- webMethods MQ Adapter
- Mercury's SiteScope
- Capitalware's MQ Visual Edit, MQ Visual Browse, MQ Batch Toolkit & Universal File Mover
- J2EE application servers (i.e. WebLogic, WebSphere, JBoss, etc.)
- Any program that uses Client Channel Tables (i.e. SupportPac MS03, WatchQ, etc.)
- Complete programming examples that utilize the client-side security exit:
- 8 examples for the C programming language
- 8 examples for the C++ programming language
- 8 examples for the C# .NET programming language
- 12 examples for the Java and Java/JMS programming language
- 4 examples for the VB programming language
Server-Side Security Exit Summary
- The server-side security exit is available in 3 forms:
- Windows DLL
- Shared library for AIX, HP-UX, Linux and Solaris
- IBM i (OS/400) exit module
- The server-side security exit major features are:
- Authenticate a user against the server’s native OS system, LDAP server, Microsoft's Active Directory, Quest Authentication Services*, Centrify's DirectControl*, PAM* or MQAUSX FBA file.
- Allows or restricts the incoming UserID against a Group
- Provides support for Proxy UserIDs
- Ability to assign a Password to a queue manager for client authentication
- Allows or restricts the incoming IP address against a regular expression pattern
- Allows or restricts the incoming Hostname against a regular expression pattern
- Allows or restricts the incoming SSL DN against a regular expression pattern
- Allows or restricts the incoming UserID against a regular expression pattern
- Allows or restricts the incoming AD server name against a regular expression pattern**
- Allows or restricts the use of ‘mqm’, ‘MUSER_MQADMIN’ or ‘QMQM’ UserIDs
- Ability to use a Credential Cache to speed up authentication
- Ability to turn off server-side authentication
- Includes a CHAD exit used to secure cluster channels
- Ability to set the maximum number of allowable connections per a given channel (MCC)
- Ability to monitor for excessive client connections (ECC) and then generate an alert
- Provides monitoring tool tie-in by using custom MQ event messages
- Provides logging capability for all connecting client applications regardless if they are successful or not.
** Windows only
- Server-Side Security Exit has been tested against and is supported for the following LDAP servers:
- Microsoft's Active Directory for Windows 2000 Server or higher
- Novell's eDirectory v8 or higher
- OpenLDAP v2.1 or higher
- Oracle 9i Internet Directory or higher
- Tivoli Directory Server for IBM i (OS/400)
- z/OS Integrated Security Services LDAP Server v1.6 or higher
Pricing
- The server-side security exits are provided in the format of a native DLL / shared library and are currently available for AIX, HP-UX, IBM i (OS/400), Linux, Solaris and Windows. The pricing of Capitalware's MQ Authenticate User Security Exit solution is on a 'per queue manager' basis.
| Operating System | |
| AIX v7.1 or higher | 64-bit |
| IBM i v7.1 or higher | 64-bit |
| HP-UX IA64 v11.23 or higher | 64-bit |
| Linux x86 | 32-bit |
| Linux x64 | 64-bit |
| Linux on POWER | 64-bit |
| Linux on System z (zSeries) | 64-bit |
| Raspberry Pi (ARM) | 32-bit |
| Solaris SPARC v10 & v11 | 64-bit |
| Solaris x64 v10 & v11 | 64-bit |
| Windows 7, 8, 8.1, 10 & 11 | 32-bit & 64-bit |
| Windows Server 2008, 2012, 2016, 2019 & 2022 | 32-bit & 64-bit |
- The client-side security exits are included for FREE and can be distributed to an unlimited number of remote servers or PCs with MQ client applications (the user only pays for the server-side licenses).
| Product | Price (USD) * | Ordering |
| MQ Authenticate User Security Exit (per license**) | $499.00 | |
| Yearly maintenance and support fee | 15% | |
| Total | $574.00 |
* Volume discounts available for as low as $299.00 USD per license plus 15% yearly maintenance and support fee.
** MQ Authenticate User Security Exit is licensed on a per queue manager basis.
- Each licensed user will receive:
- Full version of MQ Authenticate User Security Exit
- Free updates / upgrades to any version 3.x release.
- Email/ Help Desk support
| Enterprise License for MQ Authenticate User Security Exit: |
| Enterprise License for MQ Authenticate User Security Exit sells for $90,000 USD plus 15% yearly maintenance and support fee. An enterprise license will allow a company to have unlimited number of queue managers use MQ Authenticate User Security Exit at an unlimited number of locations. |