ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » SupportPac MS0R WebSphere MQ channel security Exit

Post new topic  Reply to topic
 SupportPac MS0R WebSphere MQ channel security Exit « View previous topic :: View next topic » 
Author Message
tango
PostPosted: Mon Feb 04, 2008 4:31 am    Post subject: SupportPac MS0R WebSphere MQ channel security Exit Reply with quote

Apprentice

Joined: 14 Mar 2007
Posts: 42

Hi All,

I can't seem to get MS0R to work on a Solaris SPARC server recently migrated to MQv6.0.2.2

This server was previously using BlockIP2 which worked fine. For MS0R, I can't seem to get past MQXR_SEC_PARMS even though I'm using the same config file as I used with BlockIP2. The following is extract from the PWServer001.log (IPs / channel names removed).

Patterns to process [*;]
Connection accepted for pattern [*], ConName [xxx]
ExitResponse=MQXCC_OK (0)
ver=1.40 env=Solaris ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT_SEC ChannelType=MQCHT_SVRCONN
CON Pattern matched [xxx] CON name [xxx]
Userid: [xxx]
CON/RemUid Pattern matched [bob] RemUID [bob]
CON MCA specified
CON Set MCA userid to [mqm] from [bob]
Using credentials supplied in MQCD
SVRCONN no password supplied in INIT_SEC, will require password in SEC_PARMS.
Connection may be accepted, Channel [xxx] ConName [xxx] Pattern [*;] Flags [] User [bob]
ExitResponse=MQXCC_OK (0)
Connection refused, Channel [xxx] ConName [xxx] User [bob] was not authenticated.

PWServer seems to be finding the CON pattern in the config file, but not authenticating it. Any idea why this is??? I've tried both the supported and unsupported LDAP versions.

Thanks
Back to top
View user's profile Send private message
tango
PostPosted: Mon Feb 04, 2008 7:17 am    Post subject: SAFOff Reply with quote

Apprentice

Joined: 14 Mar 2007
Posts: 42

Ah... So the client has to pass userid and p/w if the 'SAFOff' is left as default N . Is 'SAFOff' password validation a new feature with MS0R? Don't think this was in BlockIP2. When we switch off password validation (SAFOff=Y, we get inconsistent results, i.e. the client can connect some of the time Has anyone else experienced this?

Thanks
Back to top
View user's profile Send private message
oz1ccg
PostPosted: Mon Feb 04, 2008 9:19 am    Post subject: Reply with quote

Yatiri

Joined: 10 Feb 2002
Posts: 628
Location: Denmark

Hi Tango,

You're absolute 100% correct.

I've choosen to start MS0R by increasing the security level by default setting some options. I thought it was best to start with a default setting that means something.

Mayby I should add a page explaining upgrade from BlockIP2 to MS0R.

So I asks for userid and password, Blocks priveledged userids.

It's extented with Connectionname limitter, client exits that also allows you to change password on certain platforms.

-- Lock it or lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
tango
PostPosted: Tue Feb 05, 2008 12:48 am    Post subject: Source Reply with quote

Apprentice

Joined: 14 Mar 2007
Posts: 42

Hi Jørgen,

Is the source available for ms0r?
Back to top
View user's profile Send private message
oz1ccg
PostPosted: Tue Feb 05, 2008 2:37 pm    Post subject: Reply with quote

Yatiri

Joined: 10 Feb 2002
Posts: 628
Location: Denmark

nope, the source for SupportPac MS0R is not available, and we have no plans of making it avilable.

-- Lock it or Lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
tango
PostPosted: Wed Feb 13, 2008 8:08 am    Post subject: resolved Reply with quote

Apprentice

Joined: 14 Mar 2007
Posts: 42

Should also mention that when you migrate from v5.3 to v6+ you need to add the line 'ExitsDefaultPath64=/var/mqm/exits64/' in your qm.ini file. Otherwise when you specify 'SCYEXIT('PWServer(PWExit)')' as in the SupportPac manual, it won't work. If you don't update the qm.ini file, you have to be more explicit 'SCYEXIT('/var/mqm/exits64/PWServer(PWExit)')'.
Back to top
View user's profile Send private message
oz1ccg
PostPosted: Wed Feb 13, 2008 11:23 am    Post subject: Reply with quote

Yatiri

Joined: 10 Feb 2002
Posts: 628
Location: Denmark

I'll try to remember to add a comment in the next release of the book. But the upgrade process should change the ini files....

Thanks.

-- Lock it or Lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
tango
PostPosted: Thu Feb 14, 2008 1:34 am    Post subject: Reply with quote

Apprentice

Joined: 14 Mar 2007
Posts: 42

I updated from v5.3 to 6.0.2.2 and then recently to 6.0.2.3 on Solaris Sparc. Although the file system structure was migrated, the qm.ini file for the five existing QMs were unchanged, and hence I had to add the exits64 ExitPath. I guess if I were to now create a new QM on this 6.0.2.3 box, it will of course have this line included
Back to top
View user's profile Send private message
tango
PostPosted: Mon Feb 25, 2008 1:47 am    Post subject: Reply with quote

Apprentice

Joined: 14 Mar 2007
Posts: 42

Another question; on the config/specification file.

On the following line;

CON=127.0.0.1;system;MCA=mqsys;

Is the user 'system' case sensitive? I.e. if the connecting userid is 'SYSTEM', will ms0r do a block?
Back to top
View user's profile Send private message
oz1ccg
PostPosted: Mon Feb 25, 2008 7:28 am    Post subject: Reply with quote

Yatiri

Joined: 10 Feb 2002
Posts: 628
Location: Denmark

Yes, MS0R is case sensitive.

so SYSTEM will be blocked and system will pass thru.

-- Lock it or Lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
tango
PostPosted: Mon Feb 25, 2008 8:58 am    Post subject: Reply with quote

Apprentice

Joined: 14 Mar 2007
Posts: 42

thought so... thanks
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » SupportPac MS0R WebSphere MQ channel security Exit
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.