ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » SOLVED: Security exit behavior change

Post new topic  Reply to topic Goto page 1, 2  Next
 SOLVED: Security exit behavior change « View previous topic :: View next topic » 
Author Message
bbburson
PostPosted: Mon Jul 31, 2006 11:06 am    Post subject: SOLVED: Security exit behavior change Reply with quote

Partisan

Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager

We have a locally-developed security exit that runs on SVRCONN channels to validate the source IP address of a client connection. In migrating it to 64-bit code for WMQ v6 the developer reports that the CONNAME that included the client's IP address in v5.3 now shows 0.0.0.0 instead.

Any ideas why this changed and where he can find the correct IP address in the connection info?


Last edited by bbburson on Tue Aug 08, 2006 12:43 pm; edited 1 time in total
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Mon Jul 31, 2006 11:25 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

You're probably seeing the IP address of the connection coming from the MCA, rather than from the client itself.

You probably need to have your exit run on both the client and the server side and stream the necessary information from one to another.

You're probably much better off implementing a firewall or Extended Security Edition, or maybe a third-party solution.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
markt
PostPosted: Mon Jul 31, 2006 12:23 pm    Post subject: Reply with quote

Knight

Joined: 14 May 2002
Posts: 508

Believe it's a known bug. Check service.
Back to top
View user's profile Send private message
bbburson
PostPosted: Mon Jul 31, 2006 12:41 pm    Post subject: Reply with quote

Partisan

Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager

markt wrote:
Believe it's a known bug. Check service.

Thanks Mark. In MQXR_INIT we're seeing
Code:
Mon Jul 31 15:23:27 2006
: MQXR_INIT
Mon Jul 31 15:23:27 2006
: pChDef->ConnectionName = 0.0.0.0


By "check service" I assume you mean "open a PMR." Will do.
Back to top
View user's profile Send private message
bbburson
PostPosted: Tue Aug 01, 2006 7:08 am    Post subject: Reply with quote

Partisan

Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager

Forgot to mention, this strangeness is seen on HP-UX 11.11 ONLY. The recompiled-for-64bit-exit works as intended on Solaris and AIX.
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Tue Aug 01, 2006 7:24 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

Well, if you'd mentioned that, I wouldn't have guessed wrong.

A firewall is still a better solution, in my opinion. Doesn't require restarting the qmgr if you upgrade.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
bbburson
PostPosted: Tue Aug 01, 2006 8:15 am    Post subject: Reply with quote

Partisan

Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager

jefflowrey wrote:
Well, if you'd mentioned that, I wouldn't have guessed wrong.

Sorry for the confusion.
jefflowrey wrote:
A firewall is still a better solution, in my opinion. Doesn't require restarting the qmgr if you upgrade.

No arguments here. This exit is actually a stop-gap measure for the few of our applications that for whatever reason cannot do SSL yet.
Back to top
View user's profile Send private message
markt
PostPosted: Tue Aug 01, 2006 8:34 am    Post subject: Reply with quote

Knight

Joined: 14 May 2002
Posts: 508

IY86343

<ERROR_DESCRIPTION>
The ConnectionName and ShortConnectionName fields in the MQCD
passed to an exit on a receiver-type channel, for example a
RCVR or SVRCONN, are set to 0.0.0.0 if the UNIX listener inetd
is used. The fields are correctly set if runmqlsr is used.
Also, the CONNAME displayed in runmqsc for the channel is
0.0.0.0.
</ERROR_DESCRIPTION>

Not yet included in an official fixpack.
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Tue Aug 01, 2006 8:51 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

bbburson wrote:
jefflowrey wrote:
Well, if you'd mentioned that, I wouldn't have guessed wrong.

Sorry for the confusion.


No worries!
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
bbburson
PostPosted: Tue Aug 01, 2006 9:35 am    Post subject: Reply with quote

Partisan

Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager

markt wrote:
IY86343

<ERROR_DESCRIPTION>
The ConnectionName and ShortConnectionName fields in the MQCD
passed to an exit on a receiver-type channel, for example a
RCVR or SVRCONN, are set to 0.0.0.0 if the UNIX listener inetd
is used. The fields are correctly set if runmqlsr is used.
Also, the CONNAME displayed in runmqsc for the channel is
0.0.0.0.
</ERROR_DESCRIPTION>

Not yet included in an official fixpack.


Sorry, Mark, but I must disagree. We use runmqlsr only, and I just logged on to verify that the inetd listener has not jumped in there by mistake. So there must be more to it. We have opened a PMR and will see what comes of that.
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Tue Aug 01, 2006 10:01 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

Also, I have seen error messages in AMQERR01.LOG "in the wild" on AIX and HP-UX with the '0.0.0.0' address for what I know are svrconns.

So I had more than one reason for guessing wrong.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
bbburson
PostPosted: Tue Aug 08, 2006 12:42 pm    Post subject: solved Reply with quote

Partisan

Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager

Turns out IY86343 is needed on HP-UX systems even if runmqlsr is used. IBM provided the files for this fix and the exits are working as expected now. Thanks for the pointers and help here.
Back to top
View user's profile Send private message
oz1ccg
PostPosted: Wed Aug 09, 2006 9:11 am    Post subject: Reply with quote

Yatiri

Joined: 10 Feb 2002
Posts: 628
Location: Denmark

It turns out that the problems also can apear on Windows and the other UNIX implementations.

A description is found here on IBM.com

-- Lock it or Lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Hassan
PostPosted: Fri Aug 18, 2006 6:27 am    Post subject: Reply with quote

Voyager

Joined: 01 Apr 2004
Posts: 81
Location: Toronto, Canada

I just had them add iSeries to the list of platforms. We experienced the same problem on our iSeries systems. Although it was not so much of a problem as yet, since we are not using block ip type security exits.
Back to top
View user's profile Send private message
dutchman
PostPosted: Mon Sep 04, 2006 3:49 am    Post subject: Reply with quote

Acolyte

Joined: 15 May 2001
Posts: 71
Location: Netherlands

Hi - I upgraded 2 machines last Sat and am experiencing the same conname(0.0.0.0) problem. My system is on Linux and it happens regardless of whether an exit is used. Also, I'm using runmqlsr as the listener.

I followed the link that was posted and was interested to see that the Hp fix was to apply refresh pack 6.0.2.1 - but afaik that cannot be downloaded as yet.

Cheers ... R
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » General IBM MQ Support » SOLVED: Security exit behavior change
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.