| Author |
Message
|
| ony |
 Posted: Tue Oct 13, 2009 4:41 am Post subject: Setting the channel security exit |
 |
|
Newbie
Joined: 26 Aug 2009
Posts: 4
|
Hi folks,
I am trying to set a channel security exit for a svrconn channel. My exit is sitting in /opt/mqm/exits64 . I've tried several combinations trying to follow the manual but can't seem to get it right. The entry point in the code is chExit.
Here's my latest iteration of the channel setting
SCYEXIT((chExit))
and it produces the following:
13/10/09 08:28:17 - Process(28266.32) User(mqm) Program(amqrmppa)
AMQ6174: The dynamically loadable shared library '/var/mqm/exits64//chExit' was
not found
Anyone know how to set this properly ?
Thanks |
|
| Back to top |
|
 |
| shashivarungupta |
| Posted: Tue Oct 13, 2009 4:55 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
* At the server end, chExit should be there in location of /var/mqm/exits64/ (for 64bit OS say AIX5.3) or in your case its /opt/mqm/exits64/ Otherswise for the 32 bit versions it would be /var/mqm/exits/ (say on 32 bit AIX)
* The Root level permissions should be given to that chExit at server.
* At Client side in the server conn. channel, under exits, security exit name and security exit data should be given. (in some cases security exit data contains the location of the file where the userid and password are placed.)
Security exit name is the location of your chExit on the server.
* NO mqm on MCAUsedID . (otherwise you are open to all the connections, NO SECURITY EXIT)
* The ID that you are authenticating for connection that got to be there at server for handshaking (while connection req. to the queue manager over a secured channel).
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| ony |
| Posted: Tue Oct 13, 2009 5:00 am Post subject: |
|
|
Newbie
Joined: 26 Aug 2009
Posts: 4
|
| shashivarungupta wrote: |
* At the server end, chExit should be there in location of /var/mqm/exits64/ (for 64bit OS say AIX5.3) or in your case its /opt/mqm/exits64/ Otherswise for the 32 bit versions it would be /var/mqm/exits/ (say on 32 bit AIX)
* The Root level permissions should be given to that chExit at server.
* At Client side in the server conn. channel, under exits, security exit name and security exit data should be given. (in some cases security exit data contains the location of the file where the userid and password are placed.)
Security exit name is the location of your chExit on the server.
* NO mqm on MCAUsedID . (otherwise you are open to all the connections, NO SECURITY EXIT)
* The ID that you are authenticating for connection that got to be there at server for handshaking (while connection req. to the queue manager over a secured channel). |
Thanks,,,all that is good. It just doesn't seem to be able to find the exit because of the SCYEXIT setting. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Tue Oct 13, 2009 5:01 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
..Though I got few questions for you :
* whats written in chExit ?
* I think you are on Solaris ?
* what all you did to achieve it ?
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| ony |
| Posted: Tue Oct 13, 2009 5:08 am Post subject: |
|
|
Newbie
Joined: 26 Aug 2009
Posts: 4
|
| shashivarungupta wrote: |
..Though I got few questions for you :
* whats written in chExit ?
* I think you are on Solaris ?
* what all you did to achieve it ? |
Its Linux RHEL5. Written in C.
Its an existing exit that I just rebuilt for RHEL5. I dropped it in /var/mqm/exits64.
I'm using amqsputc from a remote server to test it ( works fine when I don't specify an exit ). But my setting seems to produce the error with a trailing forward-slash. I've tried several different iterations but haven't gotten it quite right.
Thanks |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Tue Oct 13, 2009 5:30 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
From the manual:
| Quote: |
On HP OpenVMS and UNIX systems, it is of the form:
libraryname(functionname) |
so it should look like this
| Code: |
ALTER CHANNEL('yourchannel') chltype(SVRCONN) SCYEXIT('libraryname(function)') |
the file resining in /var/mqm/exits64 is the library name, and function is what you specified as exit name in the source code.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Tue Oct 13, 2009 5:36 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| Quote: |
| But my setting seems to produce the error with a trailing forward-slash. |
For that you got to look at the your code of C, where its calling the Function of SecurityExit and trying to Place the '/chExit' in the path '/var/mqm/exits64/'. may be duplication of '/' is happening over the string concatenation. ( I don't know, but if yes then you got to drop one '/' on any one of those strings).
Hmm.. generally it is not required to have '//' to treat it as '/' (single '/')
I used '//' (double //) in java language and unix scripting(as Escape Sequencing). But i don't think its required there in 'C'.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Tue Oct 13, 2009 5:53 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
...I would correct my self now.. in C language..escape sequencing is there !! (I recalled it..Uff..been a long time.)
I can see it but for the '\' backslash. (http://msdn.microsoft.com/en-us/library/h21280bw.aspx) 
and you are doing something like (i hope) :
char Channel_exitfile[] = "c:\\temp\\chexitfile";
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Oct 13, 2009 3:12 pm Post subject: Re: Setting the channel security exit |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia
|
| ony wrote: |
Hi folks,
I am trying to set a channel security exit for a svrconn channel. My exit is sitting in /opt/mqm/exits64 . I've tried several combinations trying to follow the manual but can't seem to get it right. The entry point in the code is chExit.
Here's my latest iteration of the channel setting
SCYEXIT((chExit))
and it produces the following:
13/10/09 08:28:17 - Process(28266.32) User(mqm) Program(amqrmppa)
AMQ6174: The dynamically loadable shared library '/var/mqm/exits64//chExit' was
not found
Anyone know how to set this properly ?
Thanks |
The exit module should be placed in /var/mqm/exits64. It requires execute permission for the mqm user. Normally the permissions would be set up as "mqm mqm rwxrwx---".
The scyexit parm uses the format 'modulefilename(functionname)'. eg. if your module file is chExit and the function in that module that implements a security exit call is mysec (as per the prototype in the MQ Intercommunication manual), the param setting would be 'chExit(mysec)'. MQ will use the default 64 bit exits path, whatever you have that set to in qm.ini.
_________________
Glenn |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Oct 13, 2009 3:20 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
And remember you must build both the 32 and 64 bit versions and drop them in their respective directories....
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Oct 14, 2009 2:49 pm Post subject: |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia
|
| fjb_saper wrote: |
And remember you must build both the 32 and 64 bit versions and drop them in their respective directories....
Have fun |
On MQ v6.0 and higher that run queue manager processes as 64 bit, all channel exits must be 64 bit, with one exception. If you want to run a security exit on a CLNTCONN type channel (ie. at the client app end of a MQIC connection) and the app is 32 bit, the channel exit needs to be 32 bit, and should be placed in /var/mqm/exits. The SVRCONN end is always 64 bit, regardless of the client app being 32 or 64 bit.
I sometimes pine for the days of MQ v5.3, when all channel exits were 32 bit. Then I wake up from the bad dream, and v5.3 has gone to the great place in the sky where out of support software lingers on some dusty old systems that run the pearly gates app.
_________________
Glenn |
|
| Back to top |
|
|
|
|
