A Comparison of Capitalware’s MQAUSX to MQ V8 Authentication

This is an update to a posting I made last year which includes new features in MQAUSX & z/MQAUSX and updates made to MQ V8 via Fix Packs.

The following is a comparison of Capitalware’s MQ Authenticate User Security Exit (MQAUSX) to IBM’s MQ V8 new authentication feature. By authentication, I mean UserId and Password authentication against a target system (i.e. Local OS, LDAP, etc.).

Authentication IBM MQ V8 MQAUSX
& z/MQAUSX
Authentication against Local OS Yes Yes
Authentication against LDAP Server Yes Yes
Authentication against LDAP Server using SSL Yes Yes
Authentication against MS Active Directory from Windows No Yes
Number of LDAP calls to perform Authentication 2 1*
Authentication against Quest Authentication Services No Yes
Authentication against Centrify’s DirectControl No Yes
Authentication against PAM Yes** Yes
Authentication against RACF – z/OS only Yes Yes
Authentication against ACF2 – z/OS only Yes Yes
Authentication against TopSecret – z/OS only Yes Yes
Authentication against File Based Authentication No Yes
Ability to use more than 1 authentication type per Queue Manager No Yes
Ability to set authentication order No Yes
Group Functionality IBM MQ V8 MQAUSX
& z/MQAUSX
Only allow the connection if the UserId exists in a particular LDAP Group No Yes
Only allow the connection if the UserId exists in a particular Local OS Group No Yes
Only allow the connection if the UserId exists in a particular File-based Group No Yes
Control Functionality IBM MQ V8 MQAUSX
& z/MQAUSX
Assign a Password to a Queue Manager No Yes
Credential Caching No Yes
Allow/Reject by IP Address Yes Yes
Allow/Reject by Hostname (DNS) Yes Yes
Allow/Reject by Host by Name No Yes
Allow/Reject by SSL DN Yes Yes
Allow/Reject by UserId Yes Yes
Allow/Reject by MS Active Directory Name No Yes
Ability to Reject Self Signed Certificates No Yes
Limit the number of connections by Channel Yes Yes
Ability to secure cluster channels Yes Yes
Mapping Functionality IBM MQ V8 MQAUSX
& z/MQAUSX
Map incoming UserID to another UserId to be used as the connection MCAUSER value Yes Yes
Map SSL UserId to the connection MCAUSER value Yes Yes
Map the channel’s SSLCertUserID to the connection MCAUSER value – z/OS only No Yes
Logging Functionality IBM MQ V8 MQAUSX
& z/MQAUSX
Logging (& alerting) of Excessive Client Connections No Yes
Generate an alert when number of connections by Channel reaches a certain percentage No Yes
Logging of successful connections Partial Yes
Logging of failed connection attempts Yes Yes
Write event message for failed connection attempts Yes*** Yes

* A single LDAP API call is used for a standard LDAP v3 server. MQAUSX will issue 2 LDAP API calls to Microsoft Active Directory as an LDAP server.

** Requires MQ v8 with Fix Pack 3 or higher

*** Event messages must be enabled first.

MQ V8 offers basic UserId and Password authentication and control over access granted to an incoming connection (CHLAUTH) whereas MQAUSX offers a robust solution that includes authentication to a variety of different targets and a wide variety of secondary features to control incoming connections.

I hope the above information is useful.

Regards,
Roger Lacroix
Capitalware Inc.

This entry was posted in Capitalware, IBM i (OS/400), IBM MQ, Linux, MQ Authenticate User Security Exit, Security, Unix, Windows, z/OS.

Comments are closed.