|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
|
|
Difference between basic MQ authintication and IDPWOS |
« View previous topic :: View next topic » |
Author |
Message
|
ankurlodhi |
Posted: Tue Jul 23, 2019 2:39 am Post subject: Difference between basic MQ authintication and IDPWOS |
|
|
Master
Joined: 19 Oct 2010 Posts: 266
|
Hi all,
i want to understand the difference between, basic MQ authentication and IDPWOS for an MQ client.
what we usually do is we create a user on MQ server and application team connects using that username and password through MQ client.
now this username and password is already on MQ server, so isn't IDPWOS already configured even if we don't setup connauth? |
|
Back to top |
|
|
hughson |
Posted: Thu Jul 25, 2019 7:44 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013 Posts: 1948 Location: Bay of Plenty, New Zealand
|
I don't understand what you mean by "basic authentication" - could you elaborate further please?
Using CONNAUTH with IDPWOS means that the queue manager will check the user id and password you provide, and even mandate that you must provide one if you do not. This is the most basic authentication IBM MQ provides.
When your application team usually connects providing a username and password, what is checking that password is correct if you are not using IDPWOS? If you don't know the answer to this, may I suggest you attempt to enter an incorrect password deliberately and see what happens. This may illustrate to you that nothing is checking the password.
To reiterate, if CONNAUTH is not set up (or you have a version of MQ earlier than V8) the queue manager is not checking the password for you - you may have something else, an exit for example, that is, but there is nothing out of the box in the queue manager that is checking it unless you have CONNAUTH configured.
Cheers,
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
|
fjb_saper |
Posted: Fri Jul 26, 2019 5:01 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20729 Location: LI,NY
|
Also if your connauth is configured with ADOPTCTX(NO) you may supply 2 identities. One that gets checked for authentication and another one that doesn't get checked at all and that will be used for authorization!!
This is bad practice.
This is why since MQ 9.1 (or was it 9.0 ?), the default is to set ADOPTCTX(YES). This means that you HAVE to use the MQCSP structure if the id sent to MQ for authentication and authorization doesn't match the id of the running process.
Have fun _________________ MQ & Broker admin |
|
Back to top |
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|