This is an update to a posting I made last year which includes new features in MQAUSX & z/MQAUSX and updates made to MQ V8 via Fix Packs.
The following is a comparison of Capitalware’s MQ Authenticate User Security Exit (MQAUSX) to IBM’s MQ V8 new authentication feature. By authentication, I mean UserId and Password authentication against a target system (i.e. Local OS, LDAP, etc.).
Authentication | IBM MQ V8 | MQAUSX & z/MQAUSX |
Authentication against Local OS | Yes | Yes |
Authentication against LDAP Server | Yes | Yes |
Authentication against LDAP Server using SSL | Yes | Yes |
Authentication against MS Active Directory from Windows | No | Yes |
Number of LDAP calls to perform Authentication | 2 | 1* |
Authentication against Quest Authentication Services | No | Yes |
Authentication against Centrify’s DirectControl | No | Yes |
Authentication against PAM | Yes** | Yes |
Authentication against RACF – z/OS only | Yes | Yes |
Authentication against ACF2 – z/OS only | Yes | Yes |
Authentication against TopSecret – z/OS only | Yes | Yes |
Authentication against File Based Authentication | No | Yes |
Ability to use more than 1 authentication type per Queue Manager | No | Yes |
Ability to set authentication order | No | Yes |
Group Functionality | IBM MQ V8 | MQAUSX & z/MQAUSX |
Only allow the connection if the UserId exists in a particular LDAP Group | No | Yes |
Only allow the connection if the UserId exists in a particular Local OS Group | No | Yes |
Only allow the connection if the UserId exists in a particular File-based Group | No | Yes |
Control Functionality | IBM MQ V8 | MQAUSX & z/MQAUSX |
Assign a Password to a Queue Manager | No | Yes |
Credential Caching | No | Yes |
Allow/Reject by IP Address | Yes | Yes |
Allow/Reject by Hostname (DNS) | Yes | Yes |
Allow/Reject by Host by Name | No | Yes |
Allow/Reject by SSL DN | Yes | Yes |
Allow/Reject by UserId | Yes | Yes |
Allow/Reject by MS Active Directory Name | No | Yes |
Ability to Reject Self Signed Certificates | No | Yes |
Limit the number of connections by Channel | Yes | Yes |
Ability to secure cluster channels | Yes | Yes |
Mapping Functionality | IBM MQ V8 | MQAUSX & z/MQAUSX |
Map incoming UserID to another UserId to be used as the connection MCAUSER value | Yes | Yes |
Map SSL UserId to the connection MCAUSER value | Yes | Yes |
Map the channel’s SSLCertUserID to the connection MCAUSER value – z/OS only | No | Yes |
Logging Functionality | IBM MQ V8 | MQAUSX & z/MQAUSX |
Logging (& alerting) of Excessive Client Connections | No | Yes |
Generate an alert when number of connections by Channel reaches a certain percentage | No | Yes |
Logging of successful connections | Partial | Yes |
Logging of failed connection attempts | Yes | Yes |
Write event message for failed connection attempts | Yes*** | Yes |
* A single LDAP API call is used for a standard LDAP v3 server. MQAUSX will issue 2 LDAP API calls to Microsoft Active Directory as an LDAP server.
** Requires MQ v8 with Fix Pack 3 or higher
*** Event messages must be enabled first.
MQ V8 offers basic UserId and Password authentication and control over access granted to an incoming connection (CHLAUTH) whereas MQAUSX offers a robust solution that includes authentication to a variety of different targets and a wide variety of secondary features to control incoming connections.
I hope the above information is useful.
Regards,
Roger Lacroix
Capitalware Inc.