| Author |
Message
|
| tango |
 Posted: Mon Feb 04, 2008 4:31 am Post subject: SupportPac MS0R WebSphere MQ channel security Exit |
 |
|
Apprentice
Joined: 14 Mar 2007
Posts: 42
|
Hi All,
I can't seem to get MS0R to work on a Solaris SPARC server recently migrated to MQv6.0.2.2
This server was previously using BlockIP2 which worked fine. For MS0R, I can't seem to get past MQXR_SEC_PARMS even though I'm using the same config file as I used with BlockIP2. The following is extract from the PWServer001.log (IPs / channel names removed).
Patterns to process [*;]
Connection accepted for pattern [*], ConName [xxx]
ExitResponse=MQXCC_OK (0)
ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT_SEC ChannelType=MQCHT_SVRCONN
CON Pattern matched [xxx] CON name [xxx]
Userid: [xxx]
CON/RemUid Pattern matched [bob] RemUID [bob]
CON MCA specified
CON Set MCA userid to [mqm] from [bob]
Using credentials supplied in MQCD
SVRCONN no password supplied in INIT_SEC, will require password in SEC_PARMS.
Connection may be accepted, Channel [xxx] ConName [xxx] Pattern [*;] Flags [] User [bob]
ExitResponse=MQXCC_OK (0)
Connection refused, Channel [xxx] ConName [xxx] User [bob] was not authenticated.
PWServer seems to be finding the CON pattern in the config file, but not authenticating it. Any idea why this is??? I've tried both the supported and unsupported LDAP versions.
Thanks |
|
| Back to top |
|
 |
| tango |
| Posted: Mon Feb 04, 2008 7:17 am Post subject: SAFOff |
|
|
Apprentice
Joined: 14 Mar 2007
Posts: 42
|
Ah... So the client has to pass userid and p/w if the 'SAFOff' is left as default N . Is 'SAFOff' password validation a new feature with MS0R? Don't think this was in BlockIP2. When we switch off password validation (SAFOff=Y , we get inconsistent results, i.e. the client can connect some of the time  Has anyone else experienced this?
Thanks |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Mon Feb 04, 2008 9:19 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Hi Tango,
You're absolute 100% correct.
I've choosen to start MS0R by increasing the security level by default setting some options. I thought it was best to start with a default setting that means something.
Mayby I should add a page explaining upgrade from BlockIP2 to MS0R.
So I asks for userid and password, Blocks priveledged userids.
It's extented with Connectionname limitter, client exits that also allows you to change password on certain platforms.
-- Lock it or lose it -- 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| tango |
| Posted: Tue Feb 05, 2008 12:48 am Post subject: Source |
|
|
Apprentice
Joined: 14 Mar 2007
Posts: 42
|
Hi Jørgen,
Is the source available for ms0r? |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Tue Feb 05, 2008 2:37 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
nope, the source for SupportPac MS0R is not available, and we have no plans of making it avilable.
-- Lock it or Lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| tango |
| Posted: Wed Feb 13, 2008 8:08 am Post subject: resolved |
|
|
Apprentice
Joined: 14 Mar 2007
Posts: 42
|
| Should also mention that when you migrate from v5.3 to v6+ you need to add the line 'ExitsDefaultPath64=/var/mqm/exits64/' in your qm.ini file. Otherwise when you specify 'SCYEXIT('PWServer(PWExit)')' as in the SupportPac manual, it won't work. If you don't update the qm.ini file, you have to be more explicit 'SCYEXIT('/var/mqm/exits64/PWServer(PWExit)')'. |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Wed Feb 13, 2008 11:23 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
I'll try to remember to add a comment in the next release of the book. But the upgrade process should change the ini files.... 
Thanks.
-- Lock it or Lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| tango |
| Posted: Thu Feb 14, 2008 1:34 am Post subject: |
|
|
Apprentice
Joined: 14 Mar 2007
Posts: 42
|
I updated from v5.3 to 6.0.2.2 and then recently to 6.0.2.3 on Solaris Sparc. Although the file system structure was migrated, the qm.ini file for the five existing QMs were unchanged, and hence I had to add the exits64 ExitPath. I guess if I were to now create a new QM on this 6.0.2.3 box, it will of course have this line included  |
|
| Back to top |
|
|
| tango |
| Posted: Mon Feb 25, 2008 1:47 am Post subject: |
|
|
Apprentice
Joined: 14 Mar 2007
Posts: 42
|
Another question; on the config/specification file.
On the following line;
CON=127.0.0.1;system;MCA=mqsys;
Is the user 'system' case sensitive? I.e. if the connecting userid is 'SYSTEM', will ms0r do a block? |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Mon Feb 25, 2008 7:28 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
|
| Back to top |
|
|
| tango |
| Posted: Mon Feb 25, 2008 8:58 am Post subject: |
|
|
Apprentice
Joined: 14 Mar 2007
Posts: 42
|
| thought so... thanks |
|
| Back to top |
|
|
|
|
