ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » User Exits » MQ Security Exit for Svrconn Channels

Post new topic  Reply to topic
 MQ Security Exit for Svrconn Channels « View previous topic :: View next topic » 
Author Message
vignesh1988
PostPosted: Sun Jan 11, 2015 10:27 pm    Post subject: MQ Security Exit for Svrconn Channels Reply with quote

Acolyte

Joined: 13 Apr 2013
Posts: 62
Location: Chennai

Hello ,
I am developing MQ Security Exit for Svrconn channel. 90% of the servers are in Version 7.0.1
So i need advise on how does the svrconn channel security exit work? Since i am planning to set it up across the platforms

I am planning to have a external file which will contains ID's that are permitted to use this svrconn channel and revoke others using suitable error message.

I have only 1 server connection (Svrconn) channel and i have altered with a SCYEXIT name

My exit is working without any syntax error. But i heard that we also need CLNTCONN channel as well since CLNTCONN and SVRCONN imitates Sender and Receiver channel pairs.

So if anyone can guide me through how to set it up , that would be grateful.

I appreciate your help on this.

Thanks
Vignesh
Back to top
View user's profile Send private message Send e-mail
PaulClarke
PostPosted: Mon Jan 12, 2015 1:03 am    Post subject: Reply with quote

Grand Master

Joined: 17 Nov 2005
Posts: 1002
Location: New Zealand

This may be just a language thing but your description is slightly misleading.

Every client connection in to a Queue Manager needs two channel definitions - a SVRCONN channel at the Queue Manager and a CLNTCONN channel at the client end. The CLNTCONN channel can come from a variety of sources such as MQSERVER, CCDT, application code etc.

This is similar to a Sender/Receiver channel, as in you need a channel at either end, but there is no imitating going on. The way a CLNTCONN/SVRCONN channel operates is very different from the way a SENDER/RECEIVER channel operates.

As for Security exits you can choose where you want to run them. It is not necessary to run a Security exit at both ends so, if you want to run one just at the Queue Manager end that is fair enough. Clearly if you only run a security exit at one end then the exits can not 'chat' with each other to exchange secrets tokens etc. So, in general with exits at both ends you can make the channel more secure but it is not required by MQ.

Cheers,
Paul.
_________________
Paul Clarke
MQGem Software
www.mqgem.com
Back to top
View user's profile Send private message Visit poster's website
RogerLacroix
PostPosted: Mon Jan 12, 2015 3:57 pm    Post subject: Re: MQ Security Exit for Svrconn Channels Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

Hello Vignesh,

You have embarked on a path that requires in-depth security knowledge and strong MQ knowledge.

Why would you want to re-invent the wheel when there is both free (unsupported) and commercial solutions available??

Free:
- BlockIP2 is a server-side only MQ security solution

Commercial:
- Capitalware's MQ Standard Security Exit is a server-side only MQ security solution
- Capitalware's MQ Authenticate User Security Exit implements full client & server MQ security solution

vignesh1988 wrote:
I am planning to have a external file which will contains ID's that are permitted to use this svrconn channel and revoke others using suitable error message.

And how would this be any different than using BlockIP2 or MQSSX?? Also, the problem with this solution, is that if a user knows that UserID "XYZ" is in your "good UserID" list then a bad user (hacker) can simply set that UserID in their MQ application and you would never know any difference.

Yes, you can add a second level of checking by checking the incoming IP address along with the UserID and of course, some will even suggest using SSL, so as you can see the complexity will get difficult for server-side only solution.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
mqjeff
PostPosted: Tue Jan 13, 2015 6:12 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

You might also review the functions available with CHLAUTH rules in MQ v7.1 and later to see if they meet your requirements.

And, of course, MQ v8 has username/password authentication as well.

Neither will let you stick a list of usernames into a text file. But the local OS registry of the server hosting the queue manager should reasonably be sufficient instead...
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » User Exits » MQ Security Exit for Svrconn Channels
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.