HI Morag,
So the client authentication will be vendor application, using MQ Client on vendor servers, connecting to vendor QMGRs/servers using vendor authentication.
the messages will be sent to us via QMGR to QMGR sender/receiver channels.
So the msg headers will have the userid authenticated by the vendor side.
When this is in house, we trust the userid in the msg header since we have control from the application server to the back end.
We have zero trust between our windows domain, and the vendor's domain. Our security team would like to authenticate the USERID in the message header. Since the MQ Clients are not connection to our QMGRs, we can not enforce the authentication of the MQ Client to ensure the USERID can be trusted.
------------------------------
Glen Larson
Lead Systems Engineer
Progressive Insurance
Colorado Springs CO
(719) 432-1360
------------------------------
Original Message:
Sent: Wed December 08, 2021 03:48 AM
From: Morag Hughson
Subject: USERID Authentication in B2B MQ
Hi Glen,
I just want to confirm exactly what you mean by your question, so that I know I am answering the right thing. You have mentioned both QMGR-QMGR channels and client connected applications. Then you have asked, "how do we authenticate the application (userid) putting the message on the remote system, when we only have the inbound message?".
Do you wish to apply authentication on the remote system? Do you have control of the remote system? Or do you wish to apply authentication to the message that was already put on the remote system, and has travelled to your own system over a QMGR-QMGR channel - is that what you mean by "inbound message"?
I assume from your statement of zero trust when talking about clients, you perhaps also have zero trust between the remote queue manager and your queue manager? Is that correct? Is that where your question comes from? You have no trust over the authentication done on the remote system and you want to apply your own authentication locally as the message arrives over the QMGR-QMGR channel?
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Tue December 07, 2021 02:33 PM
From: Glen Larson
Subject: USERID Authentication in B2B MQ
We are planning for a B2B solution for one of our applications.
We will use a dedicated VPN pipe between the companies. We are planning to use public/private key Certs, and IP checking when connection QMGR to QMGR channels. And encrypting the data in motion.
Clients will be authenticated when they connect. The Windows Domains will not be shared, and there is zero trust between the 2, so USERIDs and Passwords are not shared or trusted.
How do we authenticate the application (userid) putting the message on the remote system, when we only have the inbound message?
------------------------------
Glen Larson
Lead Systems Engineer
Progressive Insurance
Colorado Springs CO
(719) 432-1360
------------------------------