After asking Delinea PAM admin, i was updated that this solution provides an API (PowerShell, .NET) that can retrieve PAM user password (each AD user is bound to its corresponding PAM secret). So, how can we pass this PAM user (secret) password to the MQ Explorer?
Original Message:
Sent: Wed December 06, 2023 10:57 AM
From: NICK DAKORONIAS
Subject: MQ Explorer integration with Delinea PAM solution
It is true that Pluggable Authentication Module (PAM) integrates smoothly with Linux / Unix, given that both platforms have the proper (PAM) modules to support this authentication mechanism. The problem in our case is that Delinea PAM solution has been implemented in order to integrate ONLY with Windows platform and specifically Active Directory authentication mechanisms (LDAP/Kerberos), at least at the initial stage, as we stand, upon organization's management team decision.
I will ask Delinea PAM admin and come back about the way the Delinea software retrieves and handles AD user's password token.
------------------------------
Nick Dakoronias
Original Message:
Sent: Wed December 06, 2023 09:41 AM
From: Francois Brandelik
Subject: MQ Explorer integration with Delinea PAM solution
And how does that integrate with Linux/Unix if not through the Plug-able Authentication Module?
On the other hand I would expect the Privileged Access Management system to have a way to retrieve a password if given certain credentials, like say an Active Directory user name and password / access token...
------------------------------
Francois Brandelik
Original Message:
Sent: Wed December 06, 2023 09:31 AM
From: NICK DAKORONIAS
Subject: MQ Explorer integration with Delinea PAM solution
I have explicitly specified in my initial post that PAM refers on Privileged Access Management and Delinea PAM has been chosen to be the core solution for Privileged Access Management Authentication.
------------------------------
Nick Dakoronias
Original Message:
Sent: Wed December 06, 2023 04:53 AM
From: Mayur RAJA
Subject: MQ Explorer integration with Delinea PAM solution
Be careful, PAM can mean
------------------------------
Mayur RAJA
Original Message:
Sent: Wed December 06, 2023 02:37 AM
From: Francois Brandelik
Subject: MQ Explorer integration with Delinea PAM solution
I hear ans see the word PAM in your authentication solution.
Make sure the MQ authentication record is not the default one, and that the authenmd is not OS but PAM. This would look like:
DEFINE AUTHINFO(COMPANY.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) LIKE (SYSTEM.DEFAULT.AUTHINFO.IDPWOS) ADOPTCTX(YES) CLNTCHECK(REQDADM) AUTHENMD(PAM)ALTER QMGR CONNAUTH(COMPANY.AUTHINFO.IDPWOS)REFRESH SECURITY TYPE(CONNAUTH)
This way when you supply the password it can be verified. (remove compatibility check on MQE, with compatibility checked, the password could be truncated at 16 chars)
Of course another possibility would be to install an X11 Server on your windows machine (Xming)(make sure to check the remove access control on launch), access the Linux/Unix server via the new mechanism, set the DISPLAY variable and run the MQ Explorer locally getting the rendering done in your X11 Server
Hope this helps
------------------------------
Francois Brandelik
Original Message:
Sent: Wed December 06, 2023 02:08 AM
From: Mark Taylor
Subject: MQ Explorer integration with Delinea PAM solution
You can choose NOT to store passwords to the file that Explorer uses, in which case you enter it each time you connct.
An alternative might be to write and configure a security exit that modifies the password during connection. One recently-released example of a Java security exit is here. That sample is obtaining/passing a token instead of a password, but the basic structure would be the same. Where the exits picks up your password would then be entirely up to you
------------------------------
Mark Taylor
Winchester
Original Message:
Sent: Tue December 05, 2023 10:10 AM
From: NICK DAKORONIAS
Subject: MQ Explorer integration with Delinea PAM solution
Hello MQ community users,
We are using MQ Explorer (v9.3.1.0) for MQ admins connectivity against several MQ hosts (Severs or Clients)
on various platforms (Windows, AIX, Linux, z/OS) by entering manually MQ admin user profile Credentials (User ID & Pwd),
depending on platform authentication mechanism (i.e. Windows -> Domain authentication, AIX/Linux -> OS Authentication, etc)
Now, local Bank organization has deployed Delinea PAM as the core solution for Privileged Access Management (IT admins)
against all IT infra Servers (i.e. DBase Servers, Application Servers, File Servers, Domain Controllers, etc),
which rotates/changes each admin user's password every 30 days automatically and keeps it within PAM Secret server store,
not visible, not accessible by anyone.
As you may realize, the new Delinea PAM solution above, affects MQ admin connectivity via MQ explorer against MQ hosts
(MQ Servers or MQ Clients), given that MQ admin user credentials (User ID & Pwd) were defined manually up to now
at MQ Explorer connection details properties and stored locally (encrypted) on WMQ_Passwords.xml located at local
Windows path -> C:\Users\xxxxx\IBM\WebSphereMQ\workspace\.metadata\.plugins\com.ibm.mq.explorer.ui.
Does anybody know, whether there is a solution or workaround that can be applied to the above MQ Explorer / Delinea PAM setup?
For instance, is it possible for MQ Explorer to enhance this automated pwd rotation/change by Delinea PAM Secret Server?
(i.e. Support for Windows Integrated security that uses the current Windows identity established on the operating system thread to access the application).
P.S.
I have raised a case to IBM expecting their response.
Thanks in advance
Rgds, Nick.
------------------------------
Nick Dakoronias
------------------------------