Hey MQ folks,

I've been using the MQ Authenticate User Security Exit (MQAUSX) for one of my applications to handle user authentication on MQ channels. It has worked fine, but now I'd like to move away from it and instead use the native IBM MQ authentication that comes built-in from MQ V8+.

As far as I know, MQ provides authentication through CONNAUTH and AUTHINFO objects, and applications can pass user credentials via the MQCSP structure.

My question is:

Has anyone here migrated from MQAUSX to MQ native authentication?

• What are the actual steps you took to implement this?

• Any advice for updating applications to use MQCSP?

• Were there any surprises or lessons learned when switching from MQAUSX to MQ's built-in authentication?

Would love to hear how others approached this transition and if there's an easy way to achieve it without big app changes.

Having not used MQAUSX I am not going to try to answer most of your questions, but I thought I could help with your second point about updating applications to use MQCSP. There are various things that could be said here, but to help you specifically, it would be useful to know what your applications do today and in what language/API they are written. Some of them may not need any change at all, depending on what they do today. Could you provide us with some details there so we can help you more appropriately?

Cheers,
Morag

Hey MQ folks,

I've been using the MQ Authenticate User Security Exit (MQAUSX) for one of my applications to handle user authentication on MQ channels. It has worked fine, but now I'd like to move away from it and instead use the native IBM MQ authentication that comes built-in from MQ V8+.

As far as I know, MQ provides authentication through CONNAUTH and AUTHINFO objects, and applications can pass user credentials via the MQCSP structure.

My question is:

Has anyone here migrated from MQAUSX to MQ native authentication?

• What are the actual steps you took to implement this?

• Any advice for updating applications to use MQCSP?

• Were there any surprises or lessons learned when switching from MQAUSX to MQ's built-in authentication?

Would love to hear how others approached this transition and if there's an easy way to achieve it without big app changes.

Hey MQ folks,

I've been using the MQ Authenticate User Security Exit (MQAUSX) for one of my applications to handle user authentication on MQ channels. It has worked fine, but now I'd like to move away from it and instead use the native IBM MQ authentication that comes built-in from MQ V8+.

As far as I know, MQ provides authentication through CONNAUTH and AUTHINFO objects, and applications can pass user credentials via the MQCSP structure.

My question is:

Has anyone here migrated from MQAUSX to MQ native authentication?

• What are the actual steps you took to implement this?

• Any advice for updating applications to use MQCSP?

• Were there any surprises or lessons learned when switching from MQAUSX to MQ's built-in authentication?

Would love to hear how others approached this transition and if there's an easy way to achieve it without big app changes.

Hello Rashmitha,

Sorry for not answering sooner, I'm on vacation travelling in the UK right now.

I started designing MQAUSX back in 2003. So, my approached to MQAUSX authentication was modelled after Unix/Linux authentication. Currently, MQAUSX supports over 140 configuration parameters and over 110 configuration parameters (no LDAP support) for z/MQAUSX (mainframe). 

I have never tried to port an MQAUSX configuration/setup to use MQ v8.0 or higher authentication - for obvious reasons. :) 

Here are some features in MQAUSX that are NOT in MQ authentication:

• Allow* and Reject* keywords support a type of regular expressions (Public Domain: REGEX Globber by J. Kercheval). I don't know what MQ authenticate uses for wildcard processing.
• Support of multiple authentication types per channel
• Each channel can have a different/separate authentication type.
• Support of multiple authentication types per queue manager
• Explicit rejection of a connection (see Reject* keywords) by UserId or IP address or SSL DN or MS AD. Note: Reject keyword processing is before Accept*** keyword processing.
• You don't use Centrify's DirectControl or Quest's Authentication Services (QAS) for authentication on Unix or Linux.
• You don't use the Queue Manager Password feature.
• You don't use the explicit rejecting of the UserId that the queue manager is running under. i.e. Disallow the use of the mqm account.
• You don't use Excessive Client Connections (ECC) feature for alerting.
• If you use the Proxy List feature, I believe you can set a UserId on the MQ auth rule.
• If you use Maximum Client Connection feature should be able to be converted to MQ CHLAUTH feature.
• MQAdmin controlled File Based Authentication (FBA) rather than Local OS or LDAP or PAM (Unix/Linux only)
• Detailed logging of every connection attempt (successful and failure) and disconnection (optional) including the time the connection lasted for.
• The MQAUSX client-side component uses AES 256-bit encryption to encrypt the user's credentials.
• All platform/OS releases of the MQAUSX (& z/MQAUSX) client-side components work with all releases of MQAUSX(& z/MQAUSX) server-side components. AIX, HP-UX, IBM i (OS/400), Linux, Solaris, Windows and z/OS (mainframe).
• If a client-side application cannot be modified to support a client-side security exit then MQAUSX server-side supports receiving the old school UserId & password in plain text and new way using MQCSP. Since, MQ v8, MQ supports internal encryption of the user's credentials but a few years ago, IBM said for production use, that form of encryption should not be relied upon.

So, if you are not using MQAUSX features that are not in MQ authenticate and you don't care about MQAUSX's detailed logging then it should be somewhat straightforward to port over MQAUSX configuration to MQ authenticate.

Hope that helps.

later

Roger

Hey MQ folks,

I've been using the MQ Authenticate User Security Exit (MQAUSX) for one of my applications to handle user authentication on MQ channels. It has worked fine, but now I'd like to move away from it and instead use the native IBM MQ authentication that comes built-in from MQ V8+.

As far as I know, MQ provides authentication through CONNAUTH and AUTHINFO objects, and applications can pass user credentials via the MQCSP structure.

My question is:

Has anyone here migrated from MQAUSX to MQ native authentication?

• What are the actual steps you took to implement this?

• Any advice for updating applications to use MQCSP?

• Were there any surprises or lessons learned when switching from MQAUSX to MQ's built-in authentication?

Would love to hear how others approached this transition and if there's an easy way to achieve it without big app changes.