IBM Websphere MQ mqclient.ini - One place for all your client configuration - Middleware News

For the last few releases, there has been the concept of a ini file for the client, just like qm.ini, but called mqclient.ini. It's purpose is to provide a single file which includes all the configuration for the client and for this reason it includes various items that were previously configured by means of environment variables. The table below summaries these items.

The mqclient.ini file allows you to gather together all your client configuration into one file, easier to deploy, keep a backup of, and replace when changes are required, rather than a random selection of environment variables. A great idea.

nvironment Variable	mqclient.ini stanza	mqclient.ini value	Description
MQCCSID	CHANNELS	CCSID	The coded character set number to be used
MQCHLLIB	CHANNELS	ChannelDefinitionDirectory	The directory path to the file containing the CCDT
MQCHLTAB	CHANNELS	ChannelDefinitionFile	The name of the file containing the CCDT
MQSERVER	CHANNELS	ServerConnectionParms	The location of the MQ server and the communication method to be used
MQCERTLABL	SSL	CertificateLabel	Defines the certificate label
MQCERTVPOL	SSL	CertificateValPolicy	Determines the type of certificate validation used
MQSSLCRYP	SSL	SSLCryptoHardware	The parameter string required to configure PKCS #11 cryptographic hardware
MQSSLFIPS	SSL	SSLFipsRequired	Whether only FIPS-certified algorithms are to be used
MQSSLKEYR	SSL	SSLKeyRepository	The location of the key repository that holds the user's digital certificate
MQSSLPROXY	SSL	SSLHTTPProxyName	The HTTP Proxy server that is to be used by GSKit for OCSP checks
MQSSLRESET	SSL	SSLKeyResetCount	The number of unencrypted bytes sent and received before the secret key is renegotiated
MQSUITEB	SSL	EncryptionPolicySuiteB	Whether Suite B compliant cryptography is to be used
MQIPADDRV	TCP	IPAddressVersion	Specifies which IP protocol to use for a channel connection
MQTCPTIMEOUT	TCP	Connect_Timeout	How long MQ waits for a TCP connect call
MQNAME	NETBIOS	LocalName	The name by which this computer is known on the LAN

Configuring a client using a configuration file Configure your clients using attributes in a text file. These attributes can be overridden by environment variables or in other platform-specific ways. You configure your WebSphere® MQ MQI clients using a text file, similar to the queue manager configuration file, qm.ini, used on UNIX and Linux platforms. The file contains a number of stanzas, each of which contains a number of lines of the format attribute-name=value . In this documentation, this file is referred to as the WebSphere MQ MQI client configuration file; its file name is generally mqclient.ini, but you can choose to give it another name. Configuration information in this file applies to all platforms, and to clients using the MQI, WebSphere MQ classes for Java™, WebSphere MQ classes for JMS, WebSphere MQ classes for .NET, and XMS. The configuration features apply to all connections a client application makes to any queue managers, rather than being specific to an individual connection to a queue manager. Attributes relating to a connection to an individual queue manager can be configured programmatically, for example by using an MQCD structure, or by using a Client Channel Definition Table (CCDT). Environment variables which were supported in releases of WebSphere MQ earlier than Version 7.0 continue to be supported, and where such an environment variable matches an equivalent value in the client configuration file, the environment variable overrides the client configuration file value. For a client application using WebSphere MQ classes for JMS, you can also override the client configuration file in the following ways: setting properties in the JMS configuration file setting Java system properties, which also overrides the JMS configuration file For the .NET client, you can also override the client configuration file and the equivalent environment variables using the .NET application configuration file. Note that you cannot set up multiple channel connections using the client configuration file. Example client configuration file #* Module Name: mqclient.ini *# #* Type : WebSphere MQ MQI client configuration file *# # Function : Define the configuration of a client *# #* *# #*******************************************************************# #* Notes : *# #* 1) This file defines the configuration of a client *# #* *# #*******************************************************************# ClientExitPath: ExitsDefaultPath=/var/mqm/exits ExitsDefaultPath64=/var/mqm/exits64 TCP: Library1=DLLName1 KeepAlive = Yes ClntSndBuffSize=32768 ClntRcvBuffSize=32768 Connect_Timeout=0 MessageBuffer: MaximumSize=-1 Updatepercentage=-1 PurgeTime=0 LU62: TPName Library1=DLLName1 Library2=DLLName2 PreConnect: Module=amqldapi Function=myFunc Data=ldap://myLDAPServer.com:389/cn=wmq,ou=ibm,ou=com Sequence=1 CHANNELS: DefRecon=YES ServerConnectionParms=SALES.SVRCONN/TCP/hostname.x.com(1414)

MQCSP Password Protection in IBM Websphere MQ V8 - Middleware News

The MQCSP structure enables the authorization service to authenticate a user ID and password from the client. We can specify the MQCSP connection security parameters structure on an MQCONNX call. Prior to Websphere MQ version 8 the passwords from client to the queue manager were sent across the network in plain text if SSL/TLS encryption is not used which is insecure. MQ version 8 provides options to send passwords that are included in the MQCSP structure protected by using websphere MQ functionality or by using SSL/TLS encryption.

This password protection mechanism is applicable to MQ version 8 queue managers, MQI C clients, java & JMS clients and .NET clients. Password protection is used when all of the following conditions are met:
-Both ends of the connection are using WebSphere MQ version 8.0.
-The channel is not using SSL/TLS encryption.
-If the client is WebSphere MQ Explorer and user identification compatibility mode is not enabled, which is not the default. This condition is applicable only to WebSphere MQ Explorer.
-If the client is a Java or JMS application and the useM

QCSPauthentication configuration setting is set to true, which is not the default. This condition is applicable only to Java and JMS client applications.

MQ version 8 provides supports 2 password protection algorithms
-"null" algorithm which sends password as plain text which is seen in all MQ versions
-"real" password protection algorithm which uses Triple DES(3DES) based encryption.
By default, passwords will automatically be protected whenever both ends of the client/server connection are running MQ 8.0 or higher. MQ version 8 provides control over configuration settings via "PasswordProtection" attribute. The value of the PasswordProtection attribute in the Channels section of client and queue manager .ini configuration files can take one of three values:
COMPATIBLE
 This is the default value. When communicating with MQ 8.0 we must be negotiating a real password protection algorithm. When using MQ 7.5 or lower versions, null password protection algorithm can be used for interoperability purpose.
ALWAYS
 When communicating with MQ 8.0 we must be negotiating a real password protection algorithm. With this method we cannot communicate with MQ 7.5 or lower versions.
OPTIONAL
 Any mutually-supported password protection algorithm is allowed.

Following link provides possible forms of connection for each attribute of PasswordProtection
 http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q118710_.htm?lang=en

Password protection mechanism doesn't provide wide variety of encryption algorithms as in SSL/TLS encryption. With SSL/TLS encryption being used, the user has option of choosing the encryption type. SSL encryption is still the preferred method over WebSphere MQ password protection, especially when the network between the client and queue manager is untrusted, as SSL/TLS encryption is more secure. Password protection mechanism is suitable for the customers who don't use SSL as this overheads with certificate management.

Connection authentication using MQCSP requires changes to be done on both client and the server. Application changes with connection authentication
MQI : For an application using MQI to connect to queue manger, MQCONNX call and MQCSP structure should be used. Sample C fragment code for connection authentication
                char *QMName = "queue_manager";
                char *Userid = "user_id";
                char *Password = "password";
                MQCNO cno = {MQCNO_DEFAULT};
                MQCSP csp = {MQCSP_DEFAULT};
                cno.SecurityParmsPtr = &csp;
                cno.Version = MQCNO_VERSION_5;
                csp.AuthenticationType = MQCSP_AUTH_USER_ID_AND_PWD;
                csp.CSPuser IDPtr = Userid;
                csp.CSPuser IDLength = strlen(Userid);
                csp.CSPPasswordPtr = Password;
                csp.CSPPasswordLength = strlen(csp.CSPPasswordPtr);
                MQCONNX(QMName, &cno, &Hcon, &CompCode, &CReason);
              
Object-oriented languages: such as the Java classes, properties are set before connecting to the queue manager. Java code fragment for connection authentication
                String QMName = "queue_manager";
                String Userid = "user_id";
                String Password = "password";
                Hashtable h = new Hashtable();
                h.put(MQConstants.USER_ID_PROPERTY, Userid);
                h.put(MQConstants.PASSWORD_PROPERTY, Password);
                h.put(MQConstants.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
                MQQueueManager qMgr = new MQQueueManager(QMName,h)
              
or the MQEnvironment property class can also be used
                String QMName = "queue_manager";
                String Userid = "user_id";
                String Password = "password";
                MQEnvironment.properties = new Hashtable();
                MQEnvironment.userID = Userid;
                MQEnvironment.password =Password;
                MQQueueManager qMgr = new MQQueueManager(QMName);
              
JMS & XMS: Connection methods take user id and password parameters
                connectionFactory.createConnection(Userid,Password)

Information on configuring the server queue manager to check authenticity of the supplied user id and password provided by client application can be seen here
 http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q113250_.htm?lang=en
With above changes on both client and the server, the password will be sent protected if both ends of connection are using MQ version 8.