Anybody can change the MQ_USER_ID environment variable, so it provides no measure of true authentication, anyway. If client security is very important, then you've got a significant challenge on your hands that will need considerable architectural attention--you're looking at some combination of security exits, an upgrade to get SSL support, third-party software, etc. On the other hand, you can get a moderate level of security without too much effort. Some observations:
1. You may find that restricting the NT userid length (as a standard) provides other benefits and that, relatve to other solutions, is not so ominous after all. 2. If you have only a few clients, then you can provide a separate server channel for each and supply the userid in MCAUSER. 3. From MQ's perspective it is not necessary for the NT account to have a matching UNIX account. You only need to authorize the 10-character NT userids in MQ's security namespace. In other words, you can authorize 'NT USER 01' to the Unix MQ server even though it's longer than 8 characters. It is important to note that MQ security and the Unix OS security are separate beasts. Your MQ USERID and UNIX USERID are not necessarily the same. The MQ_USER_ID which MQ passes in the client connection only pertains to MQ SECURITY and does not mean the UNIX server process runs under that account (unless you have done an 'SU' or something to that effect in the server process). Regards, Dennis -----Original Message----- From: Richard Bellis [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 12:21 AM To: [EMAIL PROTECTED] Subject: Windows/Unix Authentication I wonder if someone could help. Currently when an Windows MQ series client connects to the MQ server on Unix we require that the account exists on both machines. We now have a problem were a Unix restriction prevents user names from being more than 8 characters. However our NT account is 10 characters long. The documentation that I have stumbled accross mention something about environment Variables MQ_USER_ID, but states that this is not for Windows NT. Is there any way that we can set this up? The client is NT4 and the server is on Solaris 8 using MQ 5.2.1 I know I could change the Windows NT account, but this is a hassle and may involves a lot of work. Many Thanks, Richard Bellis M&G IS Technical Strategy 020 7548 3346 The information contained in this message may be CONFIDENTIAL and is intended for the addressee only. Any unauthorised use, dissemination of the information, or copying of this message is prohibited. If you are not the addressee, please notify the sender immediately by return e-mail and delete this message. Although this e-mail and any attachments are believed to be free of any virus, or other defect which might affect any computer or system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by M&G for any loss or damage from receipt or use thereof. Please note that all e-mail messages are subject to interception for lawful business purposes. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive