Another New Feature being added to MQAUSX (and z/MQAUSX)

A customer requested a solution to a problem that is not really an MQ Authenticate User Security Exit (MQAUSX) issue.

The customer has several applications that, shall we say, are poorly written and they will not likely be changed. These particular customer applications connect, open, put (and/or get), close and disconnect from the queue manager (over & over again). The applications generate up to 700 connection requests per minute (over 12,000 per hour). The MQAdmin recently changed the MQAUSX authentication target from Local OS to LDAP over SSL. This has caused a noticeable impact on their LDAP server to the point that the LDAP server is intermittently unavailable.

I have requested that the poorly written applications be changed/updated but it appears there is no interest/motivation to fix the poorly written applications and I keep getting asked to fix MQAUSX. MQAUSX only generates an LDAP request when the application connects to the queue manager.

i.e.
application –> QMgr MCA –> MQAUSX –> LDAP server

So, this is a case of the messenger being shot. I looked at a couple of solutions to the problem but the best answer is to implement a Credential Cache in MQAUSX. When this feature is enabled, MQAUSX will cache the user credentials (in an encrypted format) for ‘x’ minutes (default is 5 minutes) in shared memory. Hence, when there is a new connection, MQAUSX will first check the cache for the incoming UserID and if found then the entry’s timestamp will be checked. If the cache entry has expired then the entry is removed from the cache. If the entry is valid then the cached password is compared to the incoming password. If the passwords match then the connection is allowed. If the passwords do not match then the entry is removed from the cache and MQAUSX will perform an authentication against the target (i.e. LDAP).

UseCredentialCache = Y
CacheLife = 7

The above example says to enable caching of user credentials and make the “time to live” for the credentials be 7 minutes.

If you would like to try out the new feature then send an email to
support@capitalware.com and we will send you the latest release of MQAUSX or z/MQAUSX.

Regards,
Roger Lacroix
Capitalware Inc.

This entry was posted in Capitalware, IBM i (OS/400), IBM MQ, Linux, MQ Authenticate User Security Exit, Security, Unix, Windows, z/OS.

Comments are closed.