Gatekeeper is a security plugin for MQ and provides a secure way for clients to connect to an MQ queue manager. It uses a client authentication exit module to extend the functionality of MQ to provide a method for JMS and other types of client connections to be authenticated using standard LDAP Simple authentication.
The module itself is called a 'security channel exit' and is named libMQAuthLdap. The module is deployed to an MQ server and is used to protect client MQ connections by providing username and password authentication against an enterprises single sign-on (SSO) such as LDAPS or Microsoft's Active Directory.
Client passwords are protected during channel authentication by using standard MQ one way SSL encryption.
The module provides a number of key security features such as,
- Username/password authentication performed using LDAP/S simple bind authentication.
- Every channel can employ a different security profile
- Auto fail-over to alternate LDAP/S server when one is not available
- Supports Microsoft Active Directory (AD) LDAP
- One, or two way SSL on the connecting MQ client channel to protect the password on the wire.
- Supports LDAP group memberships such as an AD group
- Supports IP address filtering (the rules file is compatible with the BlockIP2 rules file)
- Client user id translation or pass-through for object level authorisations (OAM)
- Multiple client API support