Passing user credentials when connecting to an MQSeries queue manager

Enterprise Server supports the MQCSP structure which enables the authorization service to authenticate a user ID and a password. MQCSP connection security parameters are specified on an MQCONNX call. Enterprise Server performs any required conversion - for example between ASCII and EBCDIC character sets. This is achieved by hooking the MQCONNX call and performing any additional processing before passing the request to the MQSeries™ interface.

This technique provides an opportunity to implement a security exit which enables user credentials to be determined under control of the installation's bespoke routine, minimizing the number of points at which sensitive user information is exposed.

The user exit (which must be named mqgetcrd) is invoked using the structure declared in the supplied copybook cascbaut.cpy at the time of the call to MQCONNX.

To enable the XA open string to be configured without including user credentials, the exit is also called by the MQ switch module ESMQXA at the start of the xa-open operation and the returned user ID and password are added to the open string which is passed to the MQSeries interface.

Input to the exit:
(See cascbaut.cpy.) Pointers to the queue manager name and the open string.
Pointers to, offsets of and lengths of user ID and password.

See an example in the mfgetcrd.cbl file provided with the product in <install-dir>\src\enterpriseserver\exits.