| Author |
Message
|
| nmaddisetti |
 Posted: Wed Dec 29, 2004 11:54 am Post subject: how to keep Authentication to Queue |
 |
|
Centurion
Joined: 06 Oct 2004
Posts: 145
|
Hai All
I want to keep username and password for queue for authentication
i.e any client should access this queue using the given username and password only
any help in this regard will be great for me
regards
Pullarao |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Wed Dec 29, 2004 11:58 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3265
Location: London, ON Canada
|
|
| Back to top |
|
|
| nmaddisetti |
| Posted: Wed Dec 29, 2004 12:17 pm Post subject: how to keep Authentication to Queue |
|
|
Centurion
Joined: 06 Oct 2004
Posts: 145
|
Hai Roger
iam planning for Security exits only
before writing security exit for authentication(i.e for username and password)
i tried with BlockIP2 security exit
i am getting Exception as below
MQJE001: An MQException occurred: Completion Code 2, Reason 2063
MQJE032: Queue manager security exit rejected connection with reason code 23
MQJE001: An MQException occurred: Completion Code 2, Reason 2063
MQJE032: Queue manager security exit rejected connection with reason code 23
Exception in thread "main" com.ibm.mq.MQException: MQJE001: An MQException occurred: Co
mpletion Code 2, Reason 2063
MQJE032: Queue manager security exit rejected connection with reason code 23
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:239)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQCl
ientManagedConnectionFactoryJ11.java:276)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQCli
entManagedConnectionFactoryJ11.java:296)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:80)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionMa
nager.java:171)
at com.ibm.mq.MQQueueManager.obtainBaseMQQueueManager(MQQueueManager.java:737)
at com.ibm.mq.MQQueueManager.construct(MQQueueManager.java:671)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:400)
at a1.main(a1.java:21)
and i came to know that reason code 23 was not defined for BlockIP2
so any help to provide authentication will be helpfull
regards
pullarao |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Dec 29, 2004 1:04 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3265
Location: London, ON Canada
|
Hi,
Those error message are exactly what are expected. BlockIP rejected the connection.
Note: It is the client application that is reporting these messages:
| Quote: |
MQJE001: An MQException occurred: Completion Code 2, Reason 2063
MQJE032: Queue manager security exit rejected connection with reason code 23 |
What you are searching for is the 'Holy Grail' of MQ security. This is a non-trival task and very complicated. You will need client-side and server-side security exits, and the data will need to be encrypted (otherwise anybody can get the UserID & password - even without a sniffer).
If you are NOT a strong C programmer (Java too for client) and know MQ extremely well, I would STRONGLY suggest that you just purchase a 3rd party security exit product.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| nmaddisetti |
| Posted: Wed Dec 29, 2004 1:32 pm Post subject: |
|
|
Centurion
Joined: 06 Oct 2004
Posts: 145
|
Hi,
The Exception posted is given by client only
if we forget about encryption for the timebeing
can u guide me to solve the probelm that i got using BlockIP2
or can u provide me some sample security exit to have better understanding about exits
regards
Pullarao |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Dec 29, 2004 1:50 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3265
Location: London, ON Canada
|
Hi,
Well, the first place to start is with the BlockIP log. What are the log records? Do you see your UserID and / or IP address?
Also, what are the rules & configuration that you are using with BlockIP?
Finally, have you read the documentation that comes with BlockIP? (Please start here!!)
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| nmaddisetti |
| Posted: Wed Dec 29, 2004 3:01 pm Post subject: |
|
|
Centurion
Joined: 06 Oct 2004
Posts: 145
|
Hi,
first of all sorry for bulk data
I have gone through BlockIP Document
Log record i got is as below
2004-12-29|15:12:34|======= INIT ======
2004-12-29|15:12:34|ProcessFile() Invoked.
2004-12-29|15:12:34|======= Start SEC_MSG ======
2004-12-29|15:12:34|ver=2.15 env=non-MVS ExitId=11 ExitReason=15 ChannelType=7
2004-12-29|15:12:34|BlockExit QMgr=[WBRK_QM2] ChannelName=[ch1] ConnName=[172.17.4.232] Uid=[]
2004-12-29|15:12:34|SecurityUserData=[FN=c:\BlockIP2.txt;-d;] nDebugFlag [1] UseridUpperLowerCase [0]
2004-12-29|15:12:34|CheckConnectionPattern()
2004-12-29|15:12:34|Pattern [172.17.4.232;] ip[172.17.4.232]
2004-12-29|15:12:34|Connection accepted for pattern [172.17.4.232], ConName [172.17.4.232]
2004-12-29|15:12:34|Users: [nmedidi] len [7]
2004-12-29|15:12:34|CheckUserId()
2004-12-29|15:12:34|Users=[nmedidi] first u=[nmedidi]
2004-12-29|15:12:34|Users=[nmedidi] extract=[nmedidi] u=[nmedidi]
2004-12-29|15:12:34|User accepted [nmedidi]
2004-12-29|15:12:34|CheckCONList()
2004-12-29|15:12:34|CONList[i] = [*;*;MCA=nmedidi;]
2004-12-29|15:12:34|CON Pattern: [*]
2004-12-29|15:12:34|CON Pattern matched [*]
2004-12-29|15:12:34|CON Userid: [*]
2004-12-29|15:12:34|CON/RemUid Pattern matched [*]
2004-12-29|15:12:34|CON MCA specified
2004-12-29|15:12:34|CON Set MCA userid to [nmedidi] from []
2004-12-29|15:12:34|CheckCONList leave return 0 (OK)
2004-12-29|15:12:34|CheckSSLList()
2004-12-29|15:12:34|CheckInvalidUsers()
2004-12-29|15:12:34|Connection refused for blank user identifier
configuration that i have done server side is
1) i copied BlockIP2.dll into c:\program files\ibm\websphere mq\exits
2)channel alteration
alt chl('ch1') chltype(svrconn) scydata('FN=c:\Blockspec.txt;-d;') scyexit('BlochIP2(BlockExit)') mcauser('nmedidi')
3)i placed a text file named Blockspec.text on C drive (c:\Blockspec.txt)which contains data as below
Patterns=172.17.4.232;
Userids=nmedidi;
BlockMqmUsers=Y;
CON=*;*;MCA=nmedidi;
On Client side simply iam running following MQ Java Program
import com.ibm.mq.*;
import java.io.*;
import java.util.*;
import javax.swing.*;
import java.awt.*;
import java.awt.event.*;
public class a1
{
public static void main(String args[])throws MQException,java.io.IOException
{
MQEnvironment.hostname = "mirdev115";
MQEnvironment.channel = "ch1";
MQEnvironment.port=9999;
MQEnvironment.userID="nmedidi";
MQEnvironment.password="miracle";
MQEnvironment.securityExit=new MySecExit();
MQQueueManager qMgr = new MQQueueManager("WBRK_QM2");
MQEnvironment.properties.put(MQC.TRANSPORT_PROPERTY,MQC.TRANSPORT_MQSERIES);
int openOptions = MQC.MQOO_INPUT_AS_Q_DEF|MQC.MQOO_OUTPUT|MQC.MQOO_INQUIRE;
System.out.println("hello");
MQQueue system_default_local_queue = qMgr.accessQueue("q1",openOptions,null,null,null);
MQMessage hello_world = new MQMessage();
hello_world.writeUTF("Hello World!");
MQPutMessageOptions pmo = new MQPutMessageOptions();
system_default_local_queue.put(hello_world,pmo);
int d=system_default_local_queue.getCurrentDepth();
System.out.println("appQ Depth is:"+d);
system_default_local_queue.close();
//qMgr.disconnect();
}
}
class MySecExit implements MQSecurityExit
{
char[] recPassword = null;
public byte[] securityExit(MQChannelExit channelExitParms,MQChannelDefinition channelDefinition,byte[] agentBuffer)
{
String userName;
byte[] userBytes;
String pswdPref = "nmedidi";//"pswd";
String usidPref = "miracle";//"usid";
String agentData = null;
String expRecMsg = "userid received\0";
byte[] expRecMsgBytes = null;
String passwordToSend = null;
boolean result = true;
switch (channelExitParms.exitReason)
{
case MQChannelExit.MQXR_INIT:
channelExitParms.exitResponse = MQChannelExit.MQXCC_OK;
break;
case MQChannelExit.MQXR_INIT_SEC:
userName = System.getProperty("user.name");
agentBuffer = null;
agentData = usidPref + userName;
try {
agentBuffer = agentData.getBytes("UTF8");
}
catch (UnsupportedEncodingException e)
{
agentBuffer = null;
}
channelExitParms.exitResponse = MQChannelExit.MQXCC_SEND_AND_REQUEST_SEC_MSG;
break;
case MQChannelExit.MQXR_SEC_MSG:
if (agentBuffer.length == 0)
{
System.out.println("ERROR! no data in inbound agentBuffer, closing channel");
channelExitParms.exitResponse = MQChannelExit.MQXCC_SUPPRESS_FUNCTION;
}
else
{//convert expected message to bytes
try
{
expRecMsgBytes = expRecMsg.getBytes("UTF8");
}
catch (UnsupportedEncodingException e)
{
System.out.println("ERROR!! - Failed to convert received data\n");
}
for (int i=0; i < agentBuffer.length; i++ ) {
if (agentBuffer[i] != expRecMsgBytes[i]) {
result = false;
}
}
if (result)
{
getPswd();
passwordToSend = new String(recPassword);
agentData = pswdPref + passwordToSend;
try
{
agentBuffer = agentData.getBytes("UTF8");
}
catch (UnsupportedEncodingException e)
{
agentBuffer = null;
}
channelExitParms.exitResponse = MQChannelExit.MQXCC_SEND_SEC_MSG;
}
else
{
System.out.println("ERROR! inbound agentBuffer not match expected message, closing channel");
channelExitParms.exitResponse = MQChannelExit.MQXCC_SUPPRESS_FUNCTION;
}
recPassword = null;
passwordToSend = null;
}
break;
case MQChannelExit.MQXR_TERM:
channelExitParms.exitResponse = MQChannelExit.MQXCC_OK;
break;
default:
System.out.println("ERROR!! - Invoked with unexpected reason!!");
channelExitParms.exitResponse = MQChannelExit.MQXCC_SUPPRESS_FUNCTION;
break;
}
return agentBuffer;
}
public void getPswd()
{
final Frame appFrame = new Frame();
final JDialog dialog = new JDialog(appFrame, "Password Prompt", true);
JLabel label = new JLabel("Enter your password ");
JPasswordField passwordField = new JPasswordField(20);
passwordField.setEchoChar('*');
passwordField.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent e) {
JPasswordField input = (JPasswordField)e.getSource();
recPassword = input.getPassword();
input = null;
dialog.dispose();
}
}); //end of addActionListener
JPanel contentPane = new JPanel(new BorderLayout());
contentPane.setBorder(BorderFactory.createEmptyBorder(20, 20, 20, 20));
contentPane.add(label, BorderLayout.WEST);
contentPane.add(passwordField, BorderLayout.CENTER);
//set dialog size and center dialog
dialog.setContentPane(contentPane);
dialog.addWindowListener(new WindowAdapter() {
public void windowClosing(WindowEvent e) {
}
});
dialog.pack();
dialog.setSize(400,90);
dialog.setLocationRelativeTo(appFrame);
dialog.setVisible(true);
}
}
may be client side program that to MySecExit will be wrong plz rectify my error
thanks in advance
regards
pullarao |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Dec 29, 2004 3:29 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3265
Location: London, ON Canada
|
Hi,
First off, use the BBCodes of [ code ] ... [ /code ] (remove the blanks) so that your source code will be readable.
BlockIP is NOT designed to work with a client-side security exit. So stuffing the agent buffer full of data will not get you anywhere!!!!!!!
Now to the problem that is giving you 2063: Please re-read the BlockIP manual for the section of BlockMqmUsers. You missed a piece.
This error messages tells it all:
| Quote: |
| 2004-12-29|15:12:34|Connection refused for blank user identifier |
blank user identifier is checked for if BlockMqmUsers is set to Y. Read the section on the MQEnvironment class of the WMQ Using Java manual.
PLEASE reread the BlockIP manual too.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| nmaddisetti |
| Posted: Thu Dec 30, 2004 1:46 am Post subject: |
|
|
Centurion
Joined: 06 Oct 2004
Posts: 145
|
Hi
Thanks for qucik reply
this time i removed
MQEnvironment.securityExit=new MySecExit();
from my Client java program (i.e iam not running any Security Exit on client side )
then iam getting Exception and Log as follows
and i did'nt got any thing to replace Y for BlockMqmUsers=
from the BlockIp2 manual
Exception i got is
C:\code>java a1
MQJE001: Completion Code 2, Reason 2035
Exception in thread "main" com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2
035
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:888)
at com.ibm.mq.MQManagedConnectionJ11.getConnection(MQManagedConnectionJ11.java:
364)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionMa
nager.java:180)
at com.ibm.mq.MQQueueManager.obtainBaseMQQueueManager(MQQueueManager.java:737)
at com.ibm.mq.MQQueueManager.construct(MQQueueManager.java:671)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:400)
at a1.main(a1.java:21)
Log is
2004-12-30|04:12:39|ProcessFile() Invoked.
2004-12-30|04:12:39|======= INIT ======
2004-12-30|04:12:39|ProcessFile() Invoked.
2004-12-30|04:12:39|======= Start INIT_SEC ======
2004-12-30|04:12:39|ver=2.15 env=non-MVS ExitId=11 ExitReason=16 ChannelType=7
2004-12-30|04:12:39|BlockExit QMgr=[WBRK_QM2] ChannelName=[ch1] ConnName=[172.17.4.232] Uid=[nmedidi]
2004-12-30|04:12:39|SecurityUserData=[FN=c:\BlockSpec.txt;-d;] nDebugFlag [1] UseridUpperLowerCase [0]
2004-12-30|04:12:39|CheckConnectionPattern()
2004-12-30|04:12:39|Pattern [172.17.4.232;] ip[172.17.4.232]
2004-12-30|04:12:39|Connection accepted for pattern [172.17.4.232], ConName [172.17.4.232]
2004-12-30|04:12:39|Users: [nmedidi] len [7]
2004-12-30|04:12:39|CheckUserId()
2004-12-30|04:12:39|Users=[nmedidi] first u=[nmedidi]
2004-12-30|04:12:39|Users=[nmedidi] extract=[nmedidi] u=[nmedidi]
2004-12-30|04:12:39|User accepted [nmedidi]
2004-12-30|04:12:39|CheckCONList()
2004-12-30|04:12:39|CheckSSLList()
2004-12-30|04:12:39|CheckInvalidUsers()
2004-12-30|04:12:39|Connection accepted, Channel [ch1] ConName [172.17.4.232] Pattern [172.17.4.232;] Flags [BlockMqmUsers=Y ] User [nmedidi]
plz tell me what value should i keep for BlockMqmUsers
regards
pullarao |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Dec 30, 2004 6:04 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3265
Location: London, ON Canada
|
Hi,
www.mqseries.net is a site that contains forums related to MQ for people to ask questions when they are stuck or encounter a difficult problem. It is NOT a place where people will spoon feed you the information (unless you are willing to pay for a tutor). People here EXPECT you to do your OWN research BEFORE posting questions. And if you do need spoon feeding then you should take an MQ course.
What does this say to you?????????
| Quote: |
| 2004-12-30|04:12:39|Connection accepted, Channel [ch1] ConName [172.17.4.232] Pattern [172.17.4.232;] Flags [BlockMqmUsers=Y ] User [nmedidi] |
| Quote: |
| MQJE001: Completion Code 2, Reason 2035 |
Did you look up this reason code, if so, what does it mean????
Bottom line: BlockIP was happy with the connecting UserID but MQ is not. You will need to add the appropriate MQ privileges to the UserID via the setmqaut command. Please do NOT ask for samples because there are plenty of examples here at mqeries.net, just use the search button.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| nmaddisetti |
| Posted: Thu Dec 30, 2004 6:41 am Post subject: BlockIP2 working fine |
|
|
Centurion
Joined: 06 Oct 2004
Posts: 145
|
Hi,
Thanks a lot
it is working fine
i have given authority to Queue Object
but i forgot to give authority to QueueManager Object i.e +connect
regards
pullarao |
|
| Back to top |
|
|
|
|
