IBM MQ Token Authentication.pdf
- 1. TechCon 2022 IBM MQ Token Based Authentication Rob Parker Security Architect, MQ Distributed parrobe@uk.ibm.com © 2022 IBM Corporation IBM MQ | 30 Years of Innovation
- 2. Important Disclaimers IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. © Copyright IBM Corporation 2023. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation, in the United States and/or other countries. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on ibm.com/trademark. 2 © 2023 IBM Corporation IBM MQ | 30 Years of Innovation
- 3. IBM Automation / June, 2023 / © 2023 IBM Corporation 3 What is JWT? IBM MQ | 30 Years of Innovation
- 4. IBM MQ 9.3.4 – Token-based authentication What is a token? • A token is a simple structure that contains information about a user and can easily be transferred between parties over the internet. • A JWT can be cryptographically signed to form a JWS. This allows for the cryptographic verification of the information inside the JWT. • Authentication tokens that are used with IBM MQ must • Be a valid JWT, as defined by internet standard RFC7519 • Be signed according to JSON Web Signature (JWS) internet standard RFC7515, with an algorithm that IBM MQ supports • Contain the required header parameters and payload claims. • The token can contain a “user claim” that specifies the user ID to be adopted. { "alg": "HS256", "typ": "JWT" } { "user": "user_id", "exp": 1716239022, "nbf": 1516239022 } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) Header Payload Signature eyJhbGciOiJIUzI1NiIsInR5cCI6I kpXVCJ9.eyJzdWIiOiIxMjM0NT Y3ODkwIiwibmFtZSI6IkpvaG4 gRG9lIiwiZXhwIjoxNTE2MjM5 MDIyfQ.E9bQ6QAil4HpH825Q C5PtjNGEDQTtMpcj0SO2W8v mag © 2023 IBM Corporation IBM MQ | 30 Years of Innovation
- 5. IBM MQ | 30 Years of Innovation https://jwt.io/ © 2023 IBM Corporation
- 6. Full spec IBM MQ | 30 Years of Innovation © 2023 IBM Corporation
- 7. IBM Confidential Auth Server IBM MQ | 30 Years of Innovation © 2023 IBM Corporation Benefits
- 8. IBM Confidential Auth Server IBM MQ | 30 Years of Innovation Centralized Authentication © 2023 IBM Corporation
- 9. IBM Confidential Auth Server Credentials only go to authentication server Token © 2023 IBM Corporation
- 10. IBM Confidential Auth Server IBM MQ | 30 Years of Innovation Authenticate how you choose Token © 2023 IBM Corporation
- 11. IBM Confidential Auth Server Tokens contain information Token © 2023 IBM Corporation • User • Groups • Authorizations • Expiry • Who issed • etc IBM MQ | 30 Years of Innovation
- 12. IBM Automation / June, 2023 / © 2023 IBM Corporation 12 How does JWT work in MQ? IBM MQ | 30 Years of Innovation
- 13. IBM MQ 9.3.4 – Token-based authentication From IBM MQ 9.3.4, client applications can provide tokens to authenticate with a queue manager. The queue manager must be configured to accept authentication tokens. • Token-based authentication is supported by queue managers that run on AIX®, Linux®, and OpenShift® Container Platforms. • IBM MQ MQI clients written in C present tokens on connection and can be authenticated. • The client application can run on any platform. • Both IBM MQ MQI clients and Java clients can remain unchanged and use security exits to send authentication tokens to the queue manager. © 2023 IBM Corporation IBM MQ | 30 Years of Innovation
- 14. Auth Server MQ Config Keystore Queue Manager IBM MQ | 30 Years of Innovation © 2023 IBM Corporation
- 15. Must be 12 characters or less Identity adoption IBM MQ | 30 Years of Innovation © 2023 IBM Corporation
- 16. MQCNO cno = {MQCNO_DEFAULT}; MQCSP csp = {MQCSP_DEFAULT}; Char * Token; ... cno.SecurityParmsPtr = &csp; cno.Version = MQCNO_VERSION_5; Token = myOAUthLogin(User,Pass); csp.Version = MQCSP_VERSION_3; csp.AuthenticationType = MQCSP_AUTH_ID_TOKEN; csp.TokenPtr = Token; csp.TokenLength = (MQLONG)strlen(Token); MQCONNX(QMName, &cno, &Hcon, &CompCode, &Creason); Application Changes • C Clients • Network bound © 2023 IBM Corporation
- 17. Security exits Auth Server C client App SCYEXIT SCYEXIT IBM MQ | 30 Years of Innovation © 2023 IBM Corporation
- 18. Security exits Auth Server Java/JMS client App SCYEXIT IBM MQ | 30 Years of Innovation © 2023 IBM Corporation
- 19. Demo?
- 20. © 2022 IBM Corporation
- 21. Notices and disclaimers © 2023 International Business Machines Corporation. All rights reserved. This document is distributed “as is” without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. Not all offerings are available in every country in which IBM operates. Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at: www.ibm.com/legal/copytrade.shtml. Certain comments made in this presentation may be characterized as forward looking under the Private Securities Litigation Reform Act of 1995. Forward-looking statements are based on the company’s current assumptions regarding future business and financial performance. Those statements by their nature address matters that are uncertain to different degrees and involve a number of factors that could cause actual results to differ materially. Additional information concerning these factors is contained in the Company’s filings with the SEC. Copies are available from the SEC, from the IBM website, or from IBM Investor Relations. Any forward-looking statement made during this presentation speaks only as of the date on which it is made. The company assumes no obligation to update or revise any forward-looking statements except as required by law; these charts and the associated remarks and comments are integrally related and are intended to be presented and understood together. 21 © 2023 IBM Corporation