Configuring the WebSphere MQ extensions for queue managers which require authentication

In IBM WebSphere MQ Version 8 and later, individual queue managers can be configured to allow or require connecting applications to supply an explicit userid and password for Connection Authentication.

To monitor a queue manager via a direct connection:

  1. Set its CONNAUTH property to the name of an AUTHINFO object.
  2. Set its CHCKLOCAL property to REQUIRED or REQDADM. 
  3. Configure the extensions as described in the following sections in order for them to be able to connect to the queue manager.

If the CONNAUTH property is set, and the CHCKLOCAL property is set to OPTIONAL, then you can configure the extensions as described in the following sections. If the queue manager CHCKLOCAL property is set to NONE, then do not configure the extensions to attempt authentication.

If a queue manager to be monitored via an agentless connection has its CONNAUTH property set to the name of an AUTHINFO object, and has its CHCKCLNT property set to REQUIRED or REQDADM, then you must configure the extensions as described in the following sections in order for them to be able to connect to the queue manager. If the CONNAUTH property is set, and the CHCKCLNT property is set to OPTIONAL, then you can configure the extensions as described. If the queue manager CHCKCLNT property is set to NONE, then do not configure the extensions to attempt authentication.

Configuring the WebSphere MQ extensions for authenticated queue manager connections

Note

In order to configure the extensions to be able to open an authenticated connection to a queue manager, you must set extension preferences to values representing the user name and password which are to be used to connect. These preferences are stored in the EAA.XML file in the TMTM Agent directory. You have the option of using obfuscation to conceal the password. Note however that this obfuscation is not cryptographic encryption. Care must be taken to ensure that the agent and extension files and directories have sufficient protection to prevent unauthorized individuals from accessing these parameters.

To set the connection mode, user name and password for a queue manager named MYQMGR with a clear text password, the agentpref command should be something like:

$ agentpref --set "WebSphere MQ Monitor" --pref_path ComMQSoftwareWebSphereMQQueueManager MYQMGR QmgrAuthType userpw QmgrAuthUserName MyUserName QmgrAuthPassword MyPassword

To use an obfuscated password, first use either the OBFPassword or mqsusertool utilities on the TrueSight Middleware and Transaction Monitor server machine, then use the output from that utility as the password on agentpref command line.

Example: Using OBFPassword

$ OBFPassword.bat MyPassword
OBF:1obr1ymj1p4j1rc41vn61vnw1ra21p571ylv1od3
$ agentpref --set "WebSphere MQ Monitor" --pref_path ComMQSoftwareWebSphereMQQueueManager MYQMGR QmgrAuthType userpw QmgrAuthUserName MyUserName QmgrAuthPassword "OBF:1obr1ymj1p4j1rc41vn61vnw1ra21p571ylv1od3"

Example: Using mqsusertool

$ mqsusertool --encode MyPassword
Encoding 'MyPassword' using algorithm Cryptor:
D;2D61tjBw8PCQng==
$ agentpref --set "WebSphere MQ Monitor" --pref_path ComMQSoftwareWebSphereMQQueueManager MYQMGR QmgrAuthType userpw QmgrAuthUserName MyUserName QmgrAuthPassword "D;2D61tjBw8PCQng=="

Was this page helpful? Yes No Submitting... Thank you

Comments