MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  MQ Explorer connect to Mainframe MQ using CHLAUTH and/or CONNAUTH

    Posted Fri August 19, 2022 10:59 AM
    Can anyone assist with connecting the MQ Explorer from Windows to Mainframe MQ using CHLAUTH and/or CONNAUTH?  We had been using CSQ4BCX3 and connecting until we were required to go to MFA (Multi Factor Authentication).  We were told that MQ would support MFA with the latest release of MQ.  We were disappointed to learn that IBM will NOT be supporting MFA in these connections as MQ authenticates credentials multiple times with each 'click' of the mouse.  To put it another way, when you click on a different queue, channel, process, etc. The MQ connection credentials are reauthenticated to determine if the userid has proper access to perform the function being requested.  As such, we are told that this connection authentication is no longer available, because of MFA, and that we need to pursue alternate means of connecting such as CHLAUTH and/or CONNAUTH.  Has anyone else done this?  What is required?  I was sent a link and I understand some of what is being stated, but I am not certain exactly how to implement it.  It seems to imply that my IP Address will be used to determine if I can be granted access or blocked.  However IP Addresses seem to be dynamically allocated at the time of login or connection (VPN).

    ------------------------------
    Gale Anderson
    ------------------------------


  • 2.  RE: MQ Explorer connect to Mainframe MQ using CHLAUTH and/or CONNAUTH

    Posted Sun August 21, 2022 08:51 PM

    Hi there, 

    We implemented the following for our MQ Explorer users. Note that when they configure their connection in MQ Explorer, we ask them to hardcode their mainframe userid in the appropriate section, and tick the "Prompt for password" box, so that they must enter their mainframe password every time they connect using MQ Explorer. 

    SET CHLAUTH('SYSTEM.ADMIN.SVRCONN') TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(CHANNEL)

    The channel above (which will be used by everyone using MQ Explorer ) has USERSRC(CHANNEL) set to glean their userid on connection, so we can then check object access within the MXQUEUE MXTOPIC MQCMDS etc classes in RACF...

    Now, how to request their password too.

    First, set the QMGR to use a CONNAUTH:

    ALTER QMGR CONNAUTH(USE.PW)

    Now, DEFINE an authinfo object that says we're using RACF (IDPWOS) to verify userids and passwords:

    DEFINE AUTHINFO(USE.PW) + <-- name matches CONNAUTH name

    AUTHTYPE(IDPWOS) + <-- rather than IDPWLDAP

    FAILDLAY(10) +

    CHCKLOCL(OPTIONAL) + <-- for local apps like CICS and batch...

    CHCKCLNT(OPTIONAL) <-- set this OPTIONAL here, and then set REQUIRED on the CHLAUTH used by the concerned channel

    REFRESH SECURITY TYPE(CONNAUTH)

    Now, update the CHLAUTH for the MQ Explorer channel:

    SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) +

    ACTION(REPLACE) +

    TYPE(ADDRESSMAP) +

    ADDRESS(*) +

    CHCKCLNT(REQUIRED) + ß here we force the authentication check for anyone/thing using this channel

    USERSRC(CHANNEL)



    ------------------------------
    Rebecca Mayer
    ------------------------------

    Original Message


  • 3.  RE: MQ Explorer connect to Mainframe MQ using CHLAUTH and/or CONNAUTH

    Posted Tue August 23, 2022 11:55 AM
    Hi Rebecca,

    What you've suggested above isn't going to help unfortunately. If what they're doing is the same thing we used to do at my old workplace, we had TOTPs as the "password" used for authentication. (Which I strongly suspect is what they're referring to as MFA, because repeated CONNAUTH attempts with the same TOTP code would fail).

    Instead, my advice would be to look at setting up TLS certificates on the client side, and have these be issued to your admins for authentication purposes to MQ. Then setup an admin channel & an SSLPEERMAP that permits people with the relevant cert DN through. This will allow your z/OS platform to continue using MFA without hindering your administrative application workflows (eg MQ Explorer, MO71, or others).

    ------------------------------
    Skyler
    ------------------------------

    Original Message


  • 4.  RE: MQ Explorer connect to Mainframe MQ using CHLAUTH and/or CONNAUTH

    Posted Tue August 23, 2022 12:27 PM
    I assumed Multi-Factor Authentication meant just that you have a userid and some sort of computer generated password, whether via an email or a text message or an app on some device or even a token.  Now we find the TOTP, Time Based One Time Password, not sure why it isn't a TBOTP but that is for another discussion.  We had been using a user defined password for years with the CSQ4BCX3 until conversion to MFA (TOTP). IBM said that the MFA/TOTP option was not viable for connections using the MQ Explorer. The details from Rebecca seem to be working, however, as Skyler was implying, that is incorporated with a cert.
    Are there better or easier options?
    Will the solution offered by Rebecca cause any other downstream issues because of the CONNAUTH/CHLAUTH currently implemented for other connections?  Put another way, will MQ have issues with more than one CONNAUTH/CHLAUTH combination on the same Queue Manager? 
    Regards, Gale

    ------------------------------
    Gale Anderson
    ------------------------------

    Original Message


  • 5.  RE: MQ Explorer connect to Mainframe MQ using CHLAUTH and/or CONNAUTH

    Posted Wed August 24, 2022 12:22 AM
    Hi Gale, 

    One thing we had to be wary of ...

    We do have the luxury of a relatively small set of SVRCONN-connecting applications, and we knew that one of them was passing in a mainframe userid and password on their connection code - the password had long since expired, and i had removed the CSQ4BCX3 exit from the channel (and instead moved to two-way SSL connection with the SSLPEERNAME specified on the channel, plus the use of an MCA userid to get access to the required MQ objects). However, the app team had still not removed the userid and password on their connection code and with the new combination of a CONNAUTH instructing MQ to check RACF plus the default CHKCLNT(OPTIONAL) on the AUTHINFO object, their connection using an expired password would have failed at restart. The app had to remove the userid/password from their connection code before i could imp all this. 

    The CHLAUTH we applied to the MQ Explorer channel is the ONLY specific CHLAUTH we have in place. Similarly, we only have the one AUTHINFO object in use (we don't do OSCP checking), so my experience with any other combinations is zip.. Same goes for MQ MFA and the T(B)OTP you speak of - although i guess it's coming...!

    Regards,
    Rebecca. 



    ------------------------------
    Rebecca Mayer
    ------------------------------

    Original Message