| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| For newbie MQ Exit developers |
« View previous topic :: View next topic » |
| Author |
Message
|
| RogerLacroix |
 Posted: Tue Feb 15, 2005 10:08 pm Post subject: For newbie MQ Exit developers |
 |
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
To all newbie MQ Exit developers,
Here are some things that you need to be aware of:
(1) Developing a MQ Exit is an 'advanced topic' - hence, you SHOULD have experience developing Windows DLLs or Unix shared Libraries.
(2) Most people at mqseries.net have never developed and will never develop a MQ Exit. But there are a few of us around who have done it and who MAY help but do NOT post basic questions like 'my exit won't load'!!!! This is an advanced topic. Test, search, test again, search again. Google is now man's best friend. USE IT.
(3) Windows XP & Windows 2003 have restrictions on system accounts (MUSR_MQADMIN is a system account!!!) and what files or directories that account can access. i.e. On WinXP, the Exit cannot write to C:\ So, if in your exit you are writing to C:\myexit.log and you have a problem then HEY TRY ANOTHER DIRECTORY (even try another file name).
(4) MQ Exit Library names are CASE SENSITIVE.
i.e.
C:\Program Files\IBM\Websphere MQ\Exits\testexit(SECEXIT)
is NOT the same as
C:\Program Files\IBM\Websphere MQ\Exits\testexit(SecExit)
(5) Do NOT write a large convolved exit before testing it. (and then complain here). Start with a VERY SIMPLE EXIT and then move to a more complex exit.
(6) Before you post a question about your MQ security exit, make sure you have tested the following VERY, VERY BASIC MQ security exit. Note: If you cannot get this to work, you should give your MQ exit development project to someone else (Do not post why or complain!!).
| Code: |
#include <stdlib.h>
#include <stdio.h>
#include <malloc.h>
#include <string.h>
#include <windows.h>
#include <lm.h>
#include <cmqc.h>
#include <cmqxc.h>
#include <time.h>
extern void MQENTRY MQStart(void) {;}
#if defined (WIN32)
__declspec (dllexport) void MQENTRY SECEXIT (PMQCXP pChannelExitParms,
PMQCD pChannelDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQBYTE pAgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr);
#endif
void MQENTRY SECEXIT ( PMQCXP pChannelExitParms,
PMQCD pChannelDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQVOID pAgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr)
{
char outBuff[512];
char tempChl[MQ_EXIT_DATA_LENGTH + 1];
FILE* fh;
struct tm *newtime;
time_t tclock;
char *timeBuff;
PMQCXP pParms = pChannelExitParms;
PMQCD pChDef = pChannelDefinition;
// Attention newbie user: Make sure you select a valid directory and filename!!!
// fh = fopen("C:\\Program Files\\IBM\\Websphere MQ\\Exits\\SecExit.log", "a+");
fh = fopen("C:\\Temp\\SecExit.log", "a+");
time( &tclock );
newtime = localtime( &tclock );
timeBuff = asctime(newtime);
timeBuff[strlen(timeBuff) - 1] = '\0';
sprintf(outBuff, "%s : Now entering the security exit.\n", timeBuff);
fprintf(fh, outBuff);
memcpy(tempChl, pChannelDefinition->ChannelName, MQ_CHANNEL_NAME_LENGTH);
tempChl[MQ_CHANNEL_NAME_LENGTH] = '\0';
sprintf(outBuff, "%s : Channel name is %s\n", timeBuff, tempChl);
fprintf(fh, outBuff);
if (pParms->ExitId == MQXT_CHANNEL_SEC_EXIT)
{
switch (pParms->ExitReason)
{
case MQXR_INIT:
pParms->ExitResponse = MQXCC_OK;
sprintf(outBuff, "%s : MQXR_INIT - Channel Initialization\n", timeBuff);
fprintf(fh, outBuff);
break;
case MQXR_INIT_SEC:
pParms->ExitResponse = MQXCC_OK;
sprintf(outBuff, "%s : MQXR_INIT_SEC - Initialize Secuity\n", timeBuff);
fprintf(fh, outBuff);
break;
case MQXR_SEC_MSG:
pParms->ExitResponse = MQXCC_OK;
sprintf(outBuff, "%s : MQXR_SEC_MSG - Security Message\n", timeBuff);
fprintf(fh, outBuff);
break;
case MQXR_TERM:
pParms->ExitResponse = MQXCC_OK;
sprintf(outBuff, "%s : MQXR_TERM - Channel Terminating\n", timeBuff);
fprintf(fh, outBuff);
break;
default:
pParms->ExitResponse = MQXCC_SUPPRESS_FUNCTION;
sprintf(outBuff, "%s : ERROR - Unknown Exit Reason\n", timeBuff);
fprintf(fh, outBuff);
break;
}
}
else
{
pParms->ExitResponse = MQXCC_SUPPRESS_FUNCTION;
sprintf(outBuff, "%s : ERROR - Not invoked by a security exit.\n", timeBuff);
fprintf(fh, outBuff);
return;
}
sprintf(outBuff, "%s : Now exiting the security exit.\n\n", timeBuff);
fprintf(fh, outBuff);
fclose(fh);
return;
} |
Here is the channel definntion for this MQ security exit:
| Code: |
DEFINE CHANNEL ('MY.TEST.EXIT') CHLTYPE(SVRCONN) +
TRPTYPE(TCP) +
SCYEXIT('c:\Program Files\IBM\WebSphere MQ\Exits\testexit(SECEXIT)') +
SCYDATA(' ') +
REPLACE |
(7) Before posting questions about this exit or your exit, please make a reasonable attempt at testing this sample exit.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Feb 16, 2005 5:07 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
In the short form:
If you're going to write code, please learn how to be a programmer first.
  
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| n0ahz0rk |
| Posted: Thu Jul 14, 2005 4:10 pm Post subject: |
|
|
Novice
Joined: 08 Sep 2004
Posts: 12
|
Has anyone developed MQ exits in dotnet (C#) ?
Does anyone know if a dotnet MQ Client program can use an exit compiled for a native win32 environment such as the one from the code posted above ? |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jul 14, 2005 9:28 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi,
I guess I forgot one item:
( 8 ) RTM: Read The Manual
| Quote: |
| Has anyone developed MQ exits in dotnet (C#) ? |
Yes, but client-side only.
| Quote: |
| Does anyone know if a dotnet MQ Client program can use an exit compiled for a native win32 environment such as the one from the code posted above ? |
Sure, it would work. Did you follow the instructions from point # 6 above? It is time for you to get your hands dirty.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| cicsprog |
| Posted: Wed Jun 28, 2006 8:04 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2002
Posts: 314
|
Rodger
Thanks for the sample code! It was very helpful to get my feet wet on a Security exit and how it works. We (2 of us) are in need of a Security exit before install v6 so we can use the Eclipse GUI to Admin 100 z/OS MQMs. No SSL Channels on the mainframe are allowed and no money for vendor security software  . We will have to scramble USERID/PASSWORD as best we can.
Anyway, this exit will eventually be Windows MQ Client to z/OS. At the moment we are using MO71 to a Windows MQM to develop the exit via a SVRCONN (port latter to z/OS). Client side is RECEVIER and Windows MQM is SENDER. From SENDER I set :
pParms->ExitResponse = MQXCC_SEND_SEC_MSG;
RECEVIER side raises case:
case MQXR_SEC_PARMS:
Just when exactly do you populate a USERID/PASSWORD in the exit buffer so you can validate and when? Do you set those values in the buffer when you set MQXCC_SEND_SEC_MSG from the SENDER so the other side gets them when case MQXR_SEC_PARMS is rasied? Seems like it wouldn’t matter when you set USERID/PASSWORD in the buffer since that buffer is always available from what I can tell. Is it me or is this poorly documented in Intercommunication? |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Wed Jun 28, 2006 1:06 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
If you have a look on the included samples (with mq 5.3.1 and 6.0 on z/os) CSQ4BCX3/CSQ4BAX3 you should get a good idea on how to do the tricks. I know it needs some changes to fullfill your needs, but it's quite easy to make it work.
And if you upgrade to WMQ version 6.0 you can use the MQXR_SEC_PARMS to walidate the useris and password in the supplied areas. MO71 supports this if you select the userid option.
And yes this works only for z/os, but can give some inspiration for other platforms....
When playing with the MQExplorer you will need a client exit (either java or c-program) to send the userid and passord over... Currently no way arround it. On how to create that... Have a look on supportpac IC72... and glued together with CSQ4BCX3 you have something .....
Sorry Roger..
-- Lock it or Lose it -- 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Jun 28, 2006 9:07 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
| cicsprog wrote: |
| We will have to scramble USERID/PASSWORD as best we can. |
Bad idea - very bad idea. Either properly encrypt the pasword or don't bother. You will give false impressions to management and end-users that passwords are safe.
| cicsprog wrote: |
Client side is RECEVIER and Windows MQM is SENDER. From SENDER I set :
pParms->ExitResponse = MQXCC_SEND_SEC_MSG;
RECEVIER side raises case:
case MQXR_SEC_PARMS:
Just when exactly do you populate a USERID/PASSWORD in the exit buffer so you can validate and when? |
Yes, this would be a good point to send your data.
| cicsprog wrote: |
| Do you set those values in the buffer when you set MQXCC_SEND_SEC_MSG from the SENDER so the other side gets them when case MQXR_SEC_PARMS is rasied? |
Well, it is the "client" that has the data, so you need to decide at what point the client will send it. Because the server-side will need to match the conversation.
| cicsprog wrote: |
| Seems like it wouldn’t matter when you set USERID/PASSWORD in the buffer since that buffer is always available from what I can tell. Is it me or is this poorly documented in Intercommunication? |
IBM leaves the exchange of "security data" up to designer of the security solution. Hence, there are no hard and fast rules.
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| cicsprog |
| Posted: Thu Jul 06, 2006 4:51 pm Post subject: |
|
|
Partisan
Joined: 27 Jan 2002
Posts: 314
|
Hum…haven’t been getting emails that this thread was being updated. I have been too busy helping my compatriot coding this exit anyway. 
We did get the C++ exit working from my XP desktop with v6 MQExplorer to a v6 MQM on my compatriots XP desktop via a client table (not Rodger’s skeleton version but another, but yours was helpful Rodger).
We are taking baby steps as we add our requirements to the exit. We did get the hardcoded userid/password encrypted as it traverses the network connection. Found bugs on MQ side which the latest Windows maint pack 6.0.1.1 seemed to resolve. My client table somehow got corrupted and rebuilding that fixed a connection problem. What chore this is!
We will port the server side exit to z/OS now and get that working (trying to keep code in for other platforms in place in case the other MQ Admins want to steal our exit). We have plans to add a call to BPX1PWD via the CSQ4BAX3 stub to validate RACF userid/password and set MCAUserid to the validated userid. Add a prompt window on Windows side for RACF userid/password (not sure if MQExplorer will allow that or not).
This has been a challenge for two individuals that have no C++ or MSVisual C++ v6 training. Just goes to show what a little GOOGLing can do for you.
I’m curious if this message exit data gets translated from XP to z/OS or not when we go from ASCII to EBCDIC? Does it? |
|
| Back to top |
|
|
| cicsprog |
| Posted: Fri Jul 14, 2006 12:42 pm Post subject: |
|
|
Partisan
Joined: 27 Jan 2002
Posts: 314
|
We got the Security Exit working (via client table) for v6 MQExplorer for a Windows Client to a Windows v6 MQM. YA!
We ported the server end of the exit to z/OS. When we display the userid and password from pAgentBuffer it is in ASCII on z/OS. Does data conversion not take place on this buffer data exchanges cross platform? I don't see anything in the manuals that says either way. Only thing I see in the manuals that leads me to believe conversion is not taking place is:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqzae.doc/csqzae10301.htm
"MQMVX.LIB is used for data conversion and is not available on client products."
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Jul 14, 2006 7:21 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
| cicsprog wrote: |
| We ported the server end of the exit to z/OS. When we display the userid and password from pAgentBuffer it is in ASCII on z/OS. Does data conversion not take place on this buffer data exchanges cross platform? |
As per the manual, the channel security exit is defined as:
| Code: |
void MQENTRY ChannelExit ( PMQCXP pChannelExitParms,
PMQCD pChannelDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQVOID pAgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr) |
pAgentBuffer is defined as PMQVOID. Therefore, it is not converted. You have to handle it yourself or find a routine to do it for you.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| cicsprog |
| Posted: Sat Jul 15, 2006 7:36 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2002
Posts: 314
|
Cool Rodger...Thanks! I take it PMVOID means that its not touched (converted). Just when you think you know it all....you learn something new. I'll do some manual searches to read up.
Now back to the codin pads  . |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Apr 17, 2007 10:06 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
| cicsprog wrote: |
| We have plans to add a call to BPX1PWD via the CSQ4BAX3 stub to validate RACF userid/password and set MCAUserid to the validated userid. |
Help!
I'm getting a strange reason code 143 (x'008f') from BPX1PWD. Does anyone know what this means?
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Wed Apr 18, 2007 2:08 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
First off I'd re-iterate all comments about home brew "encryption" schemes for masking userid/password flowing over MQ channels during the security exit exchange. You can be pretty sure that any half competent hacker will blow that open in no time.
The same comments about exits that Roger made in regard to channel exits apply in spades to using the API exit. If you mess up a security exit, your channels may not start, but if you mess up the API exit your QM may end up royally messed up - I can tell you this as I've been there and have sold the
T-shirt (and the movie rights).
The other issue with the API exit is that there have been quite a number of errors in how MQ uses it introduced in the service stream. I haven't get records any more, but there were retrogressions fixed as late as MQ5.3 CSD9 and I think there were some related bugs in MQ6.
So make sure that you a) use a disposable QM for testing API exits and b) to save yourself mega hours of head scratching make sure you use liberal tracing.
Dave |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Thu Apr 19, 2007 10:52 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
| Quote: |
Help!
I'm getting a strange reason code 143 (x'008f') from BPX1PWD. Does anyone know what this means? |
Shure:
Manual (UNIX System Services Messages and Codes) states:
| Quote: |
| 143 ESRCH No such process or thread exists; the UID or userid is not defined or the OMVS segment is not setup correctly. |
Meaning user is not found in the security server (RACF) or problems with you OMVS settings.
-- Lock it or Lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Mon Apr 23, 2007 4:07 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
In an earlier post to this topic I said:
| Quote: |
| The other issue with the API exit is that there have been quite a number of errors in how MQ uses it introduced in the service stream. I haven't get records any more, but there were retrogressions fixed as late as MQ5.3 CSD9 and I think there were some related bugs in MQ6. |
The MQ 6 problem I was referring to is covered by APAR IY82071.
Cheers
Dave |
|
| Back to top |
|
|
|
|
|
  |
Goto page 1, 2 Next |
Page 1 of 2 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
