| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| How to verify whether a trusted app is actually trusted |
« View previous topic :: View next topic » |
| Author |
Message
|
| bruce2359 |
 Posted: Thu Sep 22, 2011 11:16 am Post subject: |
 |
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
| Gideon wrote: |
| I am trying to ensure that the channel agents (that my remote client applications are connecting to) on the server are trusted. |
WMQ internal applications - MCAs - are trusted. Your other apps are not trusted, and should not be defined as trusted.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Thu Sep 22, 2011 11:47 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 12:13 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
| Gideon wrote: |
I probably was not specific enough. I am trying to ensure that the channel agents that my remote client applications are connecting to on the server are trusted.
Yes, I researched the prerequisites for trusted agents, In a netshell they are:
In the qm.ini, include the following in the Channels stanza:
MQIBindType=FASTPATH
Export the following variable in the mqm environment when you start the Qmgr and the listener:
export MQ_CONNECT_TYPE=FASTPATH
Also, the calling MQI code must be wwitten with a MQCONNX call,
where the MQCNO_FASTPATH_BINDING is set to allow trusted apps
That last point begs a question,
If I set up my server to be truested with the first 2 considerations above, will the channel agents be trusted no matter if the client app is using a proper MQCONNX call or not?
I am wondering this becuase isnt the channel agent at that point independent of the app ?
Thanks |
Your list of pre-requisites is incomplete. The long(er) list of pre-reqs may be found in the APR manual.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Sep 22, 2011 2:28 pm Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
I looked in the MQ Appication Programming Reference, and found a couple things I assumed, but did not write down From page 83 and 94 I found:
| Code: |
The qmgrs and listener must be run in the UID and the Group ID of mqm
The MQCONNX 'options' should include MQCNO_FASTPATH_BINDING |
To go along with the other requirements of
| Code: |
In the qm.ini, include the following in the Channels stanza:
MQIBindType=FASTPATH
Export the following variable in the mqm environment when you start the Qmgr and the listener:
export MQ_CONNECT_TYPE=FASTPATH |
What I have written is identiacal to the information posted in the link below
http://www.ibm.com/developerworks/websphere/library/techarticles/0712_dunn/0712_dunn.html?S_TACT=105AGY82&S_CMP=GENSITE |
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Sep 22, 2011 2:32 pm Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
After reading this link again
http://www.ibm.com/developerworks/websphere/library/techarticles/0712_dunn/0712_dunn.html?S_TACT=105AGY82&S_CMP=GENSITE
I perform the following to try to check the channel agents (Not applications)
| Code: |
$ whoami
mqm
$ export MQ_CONNECT_TYPE=FASTPATH
$
$ strmqm WQM1
WebSphere MQ queue manager 'WQM1' starting.
5 log records accessed on queue manager 'WQM1' during the log replay phase.
Log replay for queue manager 'WQM1' complete.
Transaction manager state recovered for queue manager 'WQM1'.
WebSphere MQ queue manager 'WQM1' started.
$
$
$ ps -ef | grep amqzlaa
mqm 2359674 3998384 0 22:19:00 pts/4 0:00 grep amqzlaa
mqm 4063818 3146240 0 22:18:39 - 0:00 amqzlaa0 -mWQM1 -fip0
$ |
So at this point I started the Qmgr up in trusted mode, but I have a amqzlaa0 process. It appears that is becuase the Channel initiator and command server, etc are set up as non-trusted.
Is this correct.
I tne did the following:
| Code: |
$ runmqlsr -m WQM1 -t tcp -p 1414 &
[1] 2359678
$ 5724-H72 (C) Copyright IBM Corp. 1994, 2009. ALL RIGHTS RESERVED.
$ ps -ef | grep runmqlsr
mqm 2359678 3998384 0 22:19:42 pts/4 0:00 runmqlsr -m WQM1 -t tcp -p 1414
mqm 2622174 3998384 0 22:19:49 pts/4 0:00 grep runmqlsr
$
$
$ ps eww 2359678
PID TTY STAT TIME COMMAND
2359678 pts/4 A 0:00 runmqlsr -m WQM1 -t tcp -p 1414 _=/usr/bin/runmqlsr LANG=en_US LOGIN=mqm PATH=/opt/IBM/mqsi/7.0/jre16/bin:/opt/IBM/mqsi/7.0/bin:/usr/bin:/etc:/usr/sbin:/usr/ucb:/var/mqm/bin:/usr/bin/X11:/sbin:. MQ_CONNECT_TYPE=FASTPATH MQSI_JARPATH=/opt/IBM/mqsi/7.0/classes:/opt/IBM/mqsi/7.0/messages LC__FASTMSG=true MQSI_REGISTRY=/var/mqsi CLASSPATH=/opt/IBM/mqsi/7.0/classes/ConfigManagerProxy.jar:/opt/IBM/mqsi/7.0/classes/brokerutil.jar:/usr/mqm/java/lib/com.ibm.mq.commonservices.jar:/usr/mqm/java/lib/com.ibm.mq.headers.jar:/usr/mqm/java/lib/com.ibm.mq.jar:/usr/mqm/java/lib/com.ibm.mq.jmqi.jar:/usr/mqm/java/lib/com.ibm.mq.pcf.jar:/usr/mqm/java/lib/connector.jar:/opt/IBM/mqsi/7.0/messages:/var/mqsi/common/wsrr: LOGNAME=mqm MQSI_FAD=5 MAIL=/usr/spool/mail/mqm MQSI_LILPATH=/opt/IBM/mqsi/7.0/lil:/opt/IBM/mqsi/7.0/jplugin LOCPATH=/usr/lib/nls/loc MQSI_JREPATH=/opt/IBM/mqsi/7.0/jre16 MQSI_DEVELOPMENT=/var/mqsi/registry USER=mqm AUTHSTATE=files MQSI_VERSION=7.0.0.1 SHELL=/usr/bin/ksh MQSI_CATALINA_HOME=/opt/IBM/mqsi/7.0/catalina ODMDIR=/etc/objrepos MQSI_FILEPATH=/opt/IBM/mqsi/7.0 ICU_DATA=/opt/IBM/mqsi/7.0/xml4c/data MIBDIRS=/opt/IBM/mqsi/7.0/snmp-mib: HOME=/var/mqm MQSI_VERSION_F=1 MQSI_WORKPATH=/var/mqsi TERM=xterm MQSI_SECURITY_PROVIDER_PATH=/opt/IBM/mqsi/7.0/SecurityProviders MQSI_EXMLTCONFIGPATH=/opt/IBM/mqsi/7.0/exmltConfig MAILMSG=[YOU HAVE NEW MAIL] MQSI_VERSION_M=0 PWD=/var/mqm/qmgrs/WQM1 TZ=America/New_York MQSI_VERSION_V=7 MQSI_VERSION_R=0 A__z=! LOGNAME NLSPATH=/opt/IBM/mqsi/7.0/messages/%L/%N:/opt/IBM/mqsi/7.0/messages/En_US/%N:/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat LIBPATH=/opt/IBM/mqsi/7.0/jre16/lib/ppc64:/opt/IBM/mqsi/7.0/jre16/lib/ppc64/classic:/usr/mqm/java/lib64:/opt/IBM/mqsi/7.0/xml4c/lib:/usr/mqm/lib64:/opt/IBM/mqsi/7.0/ODBC/V6.0/lib:/opt/IBM/mqsi/7.0/xlxpc/lib:/opt/IBM/mqsi/7.0/lib:/opt/IBM/mqsi/7.0/bin:
$ |
So it also appears that the listener is set to trusted correctly.
Is this also correct ?
(I hope I get an 'A') |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 2:45 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
So, from your research you found a couple of things. Do you believe that there are absolutely no other requirements whatsoever for an application to execute as "trusted?"
Which means that you or I can simply write any kind of application, client- or server-bindings, no matter how badly it will behave, specify MQCNO_FASTPATH_BINDING, and it will run as trusted? Sounds like an extreme security exposure, doesn't it?
Do you imagine that there might be something that sysadmins might need to do before an app can execute as trusted?
Earlier in your post, you stated that you were trying to learn the basics. Do you believe your research on this advanced topic is complete? I repeat: "trusted" is an advanced WMQ topic.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 3:10 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
| Gideon wrote: |
(I hope I get an 'A')
|
No; but I've lost interest in replying.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mvic |
| Posted: Thu Sep 22, 2011 3:39 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Gideon wrote: |
| I am trying to ensure that the channel agents that my remote client applications are connecting to on the server are trusted. |
OK. Out of interest, why do you want to do this? It is reasonable in some circumstances, but not necessarily all.
| Quote: |
In the qm.ini, include the following in the Channels stanza:
MQIBindType=FASTPATH |
Correct.
| Quote: |
Export the following variable in the mqm environment when you start the Qmgr and the listener:
export MQ_CONNECT_TYPE=FASTPATH |
Incorrect.
| Quote: |
Also, the calling MQI code must be wwitten with a MQCONNX call,
where the MQCNO_FASTPATH_BINDING is set to allow trusted apps |
Do you mean the client application must call MQCONNX thus? That's not correct. The client can call MQCONN or MQCONNX as per its own needs, but cannot thus affect whether the server is running trusted channels. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 3:47 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
One last post from me.
You seem to have misunderstood the fundamental (basic) concept of trust here. The issue of trust in the WMQ environment is about your applications.
IBM components behave in a trusted and trustful way - in conformance with the official IBM documentation that describes how WMQ behaves.
Trust (FASTPATH) is about how your application will be executed, and how that execution may put qmgr components at risk IF your app behaves in a way that does not conform to the official IBM WMQ documentation.
As one of my colleagues mentioned earlier, declaring one of your applications as trusted does NOT make it so.
Declaring one of you apps as trusted tells the qmgr that your believe that your app will not put the qmgr at risk. The qmgr will believe you, and it will, for example, run your work in the same process/thread as the qmgrs' LQMA. If your app misbehaves, it may cause the LQMA to terminate.
The APR and APG discuss the risks in detail. IMHO, the benefits in contemporary processor configurations is marginal at best.
Your research on the advanced topic is incomplete, most likely due to your inexperience with the product. As a result, any conclusions your reach, any assumptions you make, will be flawed.
From your replies, I gather that you are target-locked on the mca process, and what it represents - or doesn't represent. You appear to dismiss the comments and advice of those that have chosen to reply.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Sep 22, 2011 3:54 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
| mvic wrote: |
| Gideon wrote: |
| I am trying to ensure that the channel agents that my remote client applications are connecting to on the server are trusted. |
OK. Out of interest, why do you want to do this? It is reasonable in some circumstances, but not necessarily all. |
It is my belief that the OP has completely and absolutely misunderstood "trust" here.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Sep 22, 2011 4:28 pm Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
| bruce2359 wrote: |
One last post from me.
You seem to have misunderstood the fundamental (basic) concept of trust here. The issue of trust in the WMQ environment is about your applications.
IBM components behave in a trusted and trustful way - in conformance with the official IBM documentation that describes how WMQ behaves.
Trust (FASTPATH) is about how your application will be executed, and how that execution may put qmgr components at risk IF your app behaves in a way that does not conform to the official IBM WMQ documentation.
As one of my colleagues mentioned earlier, declaring one of your applications as trusted does NOT make it so.
Declaring one of you apps as trusted tells the qmgr that your believe that your app will not put the qmgr at risk. The qmgr will believe you, and it will, for example, run your work in the same process/thread as the qmgrs' LQMA. If your app misbehaves, it may cause the LQMA to terminate.
The APR and APG discuss the risks in detail. IMHO, the benefits in contemporary processor configurations is marginal at best.
Your research on the advanced topic is incomplete, most likely due to your inexperience with the product. As a result, any conclusions your reach, any assumptions you make, will be flawed.
From your replies, I gather that you are target-locked on the mca process, and what it represents - or doesn't represent. You appear to dismiss the comments and advice of those that have chosen to reply. |
I understand that trusted means that the app will run in the same process as the Qmgr, as such it may be slightly faster, but can results in harming the Qmgr, therefore it is not worth the trouble.
Apps may be badly written and not be 'trustful', but they can be set as 'trusted'. I get this. I got this when I started the thread.
Actually I am trying to take the advise of those giving advise. Everyone strongly says dont use trusted applications. I have given up on that concept, but want to understand trusted MCA's, this is not my choice, but I was asked to look into this. |
|
| Back to top |
|
|
| mvic |
| Posted: Thu Sep 22, 2011 5:53 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Gideon wrote: |
| Actually I am trying to take the advise of those giving advise. Everyone strongly says dont use trusted applications. |
| Quote: |
| want to understand trusted MCA's |
This is quite reasonable. FASTPATH/"trusted" can be useful, in a stable environment. You must make sure you are running no badly coded exits, or no exits at all.
Search through this IBM document for "FASTPATH". It is an MQ performance report, specific to Solaris - there are others specific to other OSs.
http://www.ibm.com/support/docview.wss?uid=swg24020286 |
|
| Back to top |
|
|
| mvic |
| Posted: Thu Sep 22, 2011 5:54 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| mvic wrote: |
| Gideon wrote: |
| Actually I am trying to take the advise of those giving advise. Everyone strongly says dont use trusted applications. |
| Quote: |
| want to understand trusted MCA's |
This is quite reasonable. FASTPATH/"trusted" can be useful, in a stable environment. You must make sure you are running no badly coded exits. This is because uncontrolled failures of FASTPATH applications or channels can leave your queue manager in an undefined state.
For positive examples, search through this IBM document for "FASTPATH". It is an MQ performance report, specific to Solaris - there are others specific to other OSs.
http://www.ibm.com/support/docview.wss?uid=swg24020286 |
|
|
| Back to top |
|
|
| Gideon |
| Posted: Thu Sep 22, 2011 6:56 pm Post subject: |
|
|
Chevalier
Joined: 18 Aug 2009
Posts: 403
|
| mvic wrote: |
| Gideon wrote: |
| Actually I am trying to take the advise of those giving advise. Everyone strongly says dont use trusted applications. |
| Quote: |
| want to understand trusted MCA's |
This is quite reasonable. FASTPATH/"trusted" can be useful, in a stable environment. You must make sure you are running no badly coded exits, or no exits at all.
Search through this IBM document for "FASTPATH". It is an MQ performance report, specific to Solaris - there are others specific to other OSs.
http://www.ibm.com/support/docview.wss?uid=swg24020286 |
I read the report, it said:
| Code: |
7.3.7 MQIBINDTYPE
MQIBINDTYPE=FASTPATH will cause the channel to run ‘Trusted’ mode. Trusted applications do not use
a thread in the Agent (AMQZLLA) process. This means there is no IPC between the Channel and Agent
because the Agent does not exist in this connection. If the channel is run in STANDARD mode then any
messages passed between the channel and agent will use IPCC memory (size = BufferSize with a maximum
size of 1Mb) that is dynamically obtained and only held for the lifetime of the MQGet. Standard channels
each require an additional 80K bytes of memory. As the message rate increases, there will be more IPCC
memory used in parallel. |
There is no mention in this document of MQ_CONNECT_TYPE, just the MQIBindType.
I also read this doc:
http://www.ibm.com/developerworks/websphere/library/techarticles/0712_dunn/0712_dunn.html?S_TACT=105AGY82&S_CMP=GENSITE
Which said that you can set channels to trusted either by setting the MQIBindType or the env var MQ_CONNECT_TYPE, specifically:
| Code: |
To make the channels run as trusted there are two options.
1. Specify a value of MQIBindType=FASTPATH in the Channels stanza of the qm.ini or registry file. This is case sensitive. If you specify a value that is not valid it is ignored. See below for how to do this for the Windows and UNIX environments. By choosing this option all channels within the queue manager will run as trusted.
2. Set the environment variable MQ_CONNECT_TYPE to a value of FASTPATH in the environment in which the channel is started. Ensure that the setting MQ_CONNECT_TYPE=FASTPATH is present as an environment variable. This is case sensitive. If you specify a value that is not valid it is ignored. |
mvic:
Earlier you said taht I was incorrect when I stated that you could trigger channel agents as trusted by specifying "export MQ_COMMECT_TYPE=FASTPATH".
Is the second document incorrect, or am I missing something ?
Thanks in advance |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
