Skip to Content

Configuring the IBM MQ extensions for queue managers which require authentication

In IBM MQ Version 8 and later, individual queue managers can be configured to allow or require connecting applications to supply an explicit userid and password for Connection Authentication.

To monitor a queue manager via a direct connection:

  1. Set its CONNAUTH property to the name of an AUTHINFO object.
  2. Set its CHCKLOCAL property to REQUIRED or REQDADM. 
  3. Configure the extensions as described in the following sections in order for them to be able to connect to the queue manager.

If the CONNAUTH property is set, and the CHCKLOCAL property is set to OPTIONAL, then you can configure the extensions as described in the following sections. If the queue manager CHCKLOCAL property is set to NONE, then do not configure the extensions to attempt authentication.

If a queue manager to be monitored via an agentless connection has its CONNAUTH property set to the name of an AUTHINFO object, and has its CHCKCLNT property set to REQUIRED or REQDADM, then you must configure the extensions as described in the following sections in order for them to be able to connect to the queue manager. If the CONNAUTH property is set, and the CHCKCLNT property is set to OPTIONAL, then you can configure the extensions as described. If the queue manager CHCKCLNT property is set to NONE, then do not configure the extensions to attempt authentication.

Configuring the IBM MQ extensions for authenticated queue manager connections

Warning

Important

Password preferences are stored in the eaa.xml file in the agent directory. The passwords are encoded using obfuscation. Note that this obfuscation is not cryptographic encryption. Care must be taken to ensure that the agent and extension files and directories have sufficient protection to prevent unauthorized individuals from accessing these parameters.

To set the connection mode, user name and password for a queue manager named MYQMGR with a clear text password (agentpref will encode) command should be something like:

$ agentpref --set "WebSphere MQ Monitor" --pref_path ComMQSoftwareWebSphereMQQueueManager MYQMGR QmgrAuthType userpw QmgrAuthUserName MyUserName QmgrAuthPassword MyPassword

Example: Using OBFPassword

$ OBFPassword.bat MyPassword
OBF:1obr1ymj1p4j1rc41vn61vnw1ra21p571ylv1od3
$ agentpref --set "WebSphere MQ Monitor" --pref_path ComMQSoftwareWebSphereMQQueueManager MYQMGR QmgrAuthType userpw QmgrAuthUserName MyUserName QmgrAuthPassword "OBF:1obr1ymj1p4j1rc41vn61vnw1ra21p571ylv1od3"

Example: Using mqsusertool

$ mqsusertool --encode MyPassword
Encoding 'MyPassword' using algorithm Cryptor:
D;2D61tjBw8PCQng==
$ agentpref --set "WebSphere MQ Monitor" --pref_path ComMQSoftwareWebSphereMQQueueManager MYQMGR QmgrAuthType userpw QmgrAuthUserName MyUserName QmgrAuthPassword "D;2D61tjBw8PCQng=="

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

MainView Middleware Monitor 9.2