| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Security Exit-----Urgent |
« View previous topic :: View next topic » |
| Author |
Message
|
| vsk |
 Posted: Wed Apr 30, 2003 10:34 am Post subject: Security Exit-----Urgent |
 |
|
Novice
Joined: 25 Apr 2003
Posts: 24
|
I added a security exit in my sender channel definition. Now when I am trying to start my channel the channel is not starting up. Can anyone help me with this.
Thanks,
VSK |
|
| Back to top |
|
 |
| kevinf2349 |
| Posted: Wed Apr 30, 2003 1:39 pm Post subject: |
|
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
Is there error message?
As far as I recall security exits work in pairs. Is the security exit also activated at the receiving end?
If you just want to get the channel working again, remove the security exit and it should work. Of course this doesn't get the exit working, but it will get the channel up and running. |
|
| Back to top |
|
|
| vsk |
| Posted: Thu May 01, 2003 5:34 am Post subject: |
|
|
Novice
Joined: 25 Apr 2003
Posts: 24
|
Following is the code that has been given to us by the vendor company with whom we will be communicating via MQ
extern "C" {
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef AIX
#include <langinfo.h>
#endif
#include <sys/types.h>
#include <sys/timeb.h>
#include <time.h>
/* MQSeries headers */
#include <cmqc.h>
#include <cmqxc.h>
/* testing headers */
#include <time.h>
/* dummy function used as entry point to exit, only needed AIX boxes */
void MQStart() {;} /* dummy entry point */
void MQENTRY MQMDH001( PMQCXP pChannelExitParams,
PMQCD pChannelDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQBYTE AgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr)
{
char Channel_Logfile[] = "c:\\temp\\scylog.log";
FILE * fp;
/* for test purposes */
char TimeBuffer[100];
struct tm *pNow=NULL;
time_t MyTime;
/* open the log file */
fp = fopen(Channel_Logfile,"a+");
pChannelExitParams->ExitResponse = MQXCC_OK;
Sample Security Exit Program coded in C – Continued.
pChannelExitParams->Feedback = 0;
switch( pChannelExitParams-> ExitReason )
{
case MQXR_INIT:
MyTime=time(NULL);
pNow=localtime(&MyTime);
strftime(TimeBuffer, sizeof(TimeBuffer),
"\nScy exit called for INIT at %A %B %d, %Y at %I:%M %p\n", pNow);
fprintf(fp, "%s", TimeBuffer);
break;
case MQXR_INIT_SEC:
*pDataLength = 9;
pChannelExitParams->ExitResponse = MQXCC_SEND_SEC_MSG;
strncpy((char *)AgentBuffer, "WHOAREYOU\0", 10);
fprintf(fp,"Scy exit called for INIT_SEC, resp=%d, buff=%s\n", pChannelExitParams->ExitResponse, (char *)AgentBuffer);
break;
case MQXR_SEC_MSG:
fprintf(fp,"Scy exit called for SEC_MSG, resp=%d, buff=%.10s\n", pChannelExitParams->ExitResponse, (char *)AgentBuffer);
*pDataLength = 20;
pChannelExitParams->ExitResponse = MQXCC_SEND_SEC_MSG;
/******CHANGE userid/password in the following line:********/
strncpy((char *)AgentBuffer, "A000Userid Password\0", 21);
/******END OF CHANGE userid/password: **********************/
fprintf(fp,"Scy exit called for SEC_MSG, resp=%d, buff=%.10s\n", pChannelExitParams->ExitResponse, (char *)AgentBuffer);
break;
case MQXR_TERM:
fprintf(fp,"Scy exit called for TERM\n");
break;
default:
fprintf(fp,"Scy exit called with invalid reason code: %d\n", pChannelExitParams-> ExitReason);
break;
} /* switch */
fclose(fp);
return;
} /* END OF void MQENTRY MQMDH001( */
} /* END OF extern "C" { */
I have compiled this C code and added the executable path in the sender channel SCYEXIT() parameter.
Can anyone tell me what do I do for testing this security exit. I have created another Queue manager , queues and receiver channel. What do I need to do on the receiver channel so that I can make this security exit program work.
Please reply ASAP. Its urgent. |
|
| Back to top |
|
|
| bduncan |
| Posted: Thu May 01, 2003 10:13 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Well, you'll need to provide us with some more information before anyone can possibly diagnose this. You say the channel is not starting up. Are you starting the channel via runmqsc or runmqchl? Are you getting any immediate error (if so what is it) when you start the channel, or does it say that it started the channel but then when you do "dis chstatus(*)" you see the channel is in retrying mode? What do the AMQ logs show when you try to start the channel? Are any FDC files being created?
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| vsk |
| Posted: Thu May 01, 2003 12:23 pm Post subject: |
|
|
Novice
Joined: 25 Apr 2003
Posts: 24
|
Now the Chnnel is woring but following is the problem and I am not able to send any messages from one QM to other.
Following are the steps that I did to setup the exit program on sender and receiver channel.
1) Compiled the security exit code and copied it to /var/mqm/exits directory.
2) Defined the sender channel as follows.
DEFINE CHANNEL(QM1.to.QM2.C1) CHLTYPE(SDR) +
TRPTYPE(TCP) +
CONNAME('I/p address(1417)') +
DESCR('Sender channel ') +
XMITQ(QM2) +
SCYEXIT('ChannelExit(MQMDH001)') +
SENDEXIT('ChannelExit(MQMDH001)')
3) Defined the receiver channel
DEFINE CHANNEL(Qm1.to.QM2.C1) CHLTYPE(RCVR) +
TRPTYPE(TCP) +
DESCR('Receiver channel')+
SCYEXIT('ChannelExit(MQMDH001)') +
RCVEXIT('ChannelExit(MQMDH001)')
4) Started the sender and receiver channel on both the Queue managers.
For testing pupose both the Queue managers are on the same machine.
After I do a Display channel Status on sender channel I get the following
AMQ8417: Display Channel Status details.
CHANNEL(Qm1.to.QM2.C1) XMITQ(QM2)
CONNAME(I/p address(1417))
CURRENT CHLTYPE(SDR)
STATUS(BINDING) RQMNAME(QM2)
I think the security exit program is going into a loop and is continuously writing into /tmp/scylog.log file(See the code).
The contents are as follows
Inside Security ExitScy exit called for SEC_MSG, resp=0, buff=test123
Scy exit called for SEC_MSG, resp=-4, buff=test123
Inside Security ExitScy exit called for SEC_MSG, resp=0, buff=test123
Scy exit called for SEC_MSG, resp=-4, buff=test123
Inside Security ExitScy exit called for SEC_MSG, resp=0, buff=test123
Scy exit called for SEC_MSG, resp=-4, buff=test123
........
........
Do I need to set the userid and password that I am passing to the security exit program on receiver channel definition or somewhere ??????
Please let me know if anything is needed
Thanks in advance |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Fri May 02, 2003 6:43 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
There are quite a few things to watch ...
First It seens to me that the security exit also is used as Send and receive exit ? Why ??
second, how is the security negotiation defined by your vendor company, who should start, sender or receiver side. second the suplied exit is "thin", there should be some checks so it only respond to security.
I just tried the exit, and after a small change it dont loop anymore.. but it might not serve you requests.... all I changed was:
| Code: |
fprintf(fp,"Scy exit called for SEC_MSG, resp=%d, buff=%.10s\n", pChannelExitParams->ExitResponse, (char *)AgentBuffer);
*pDataLength = 20;
pChannelExitParams->ExitResponse = MQXCC_OK; |
Third, are you shure that you always will send your user/password ?, because the exit starts it's security exchange with WHOAREYOU.. Personally would I check and see if the other party send an argeed token before sending user/password.
Just my $0.02 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| vsk |
| Posted: Fri May 02, 2003 10:03 am Post subject: |
|
|
Novice
Joined: 25 Apr 2003
Posts: 24
|
Hi,
I modified the code as u mentioned and now it is not looping.
The vendor requirement is such that each time the channel diconnects when there is no message for 5 minutes and then when there is a message it should reconnect again with the user id and password.
Do I need to do any extra for this to work.
I have installed the Security Exit both on sender and receiver channel. |
|
| Back to top |
|
|
| SJ |
| Posted: Fri May 02, 2003 10:07 am Post subject: |
|
|
Newbie
Joined: 02 May 2003
Posts: 8
Location: US
|
The requirements of the exit are to send a userid/password on channel startup when you are the sender. We went through the same exercise a while back and stripped the sample that was supplied to the bare minimum.
The following is used on our test system:
void MQENTRY SecSendL1( PMQVOID pChannelExitParams,
PMQVOID pChannelDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQVOID pAgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr )
{
PMQCXP pCEP = pChannelExitParams;
PMQCD pCD = pChannelDefinition;
/* setup defaults */
pCEP->ExitResponse = MQXCC_OK ;
pCEP->Feedback = 0;
switch ( pCEP->ExitReason ) {
case MQXR_SEC_MSG: /* security message received */
pCEP->ExitResponse = MQXCC_SEND_SEC_MSG;
*pDataLength = 20;
strncpy( (char *)pAgentBuffer, pCD->SecurityUserData, 20 );
break;
default: break; /* do nothing */
} /* end switch */
return;
} /* END OF MQENTRY SecSendL1( */
The channel is setup with
SCYDATA(A000<userid><password>) and
SCYEXIT(secexit(SecSendL1))
There is no requirement for all the logging or the put it on the receiver channel. |
|
| Back to top |
|
|
| vsk |
| Posted: Fri May 02, 2003 11:56 am Post subject: |
|
|
Novice
Joined: 25 Apr 2003
Posts: 24
|
The channel is setup with
SCYDATA(A000<userid><password>) and
SCYEXIT(secexit(SecSendL1))
Do I need to set this channel definition on sender channel or receiver channel.
Now the data is flowing from the sender channel to receiver channel. But now even if I am passing wrong user id and pasword(in the Security Exit Program) the data is still flowing which should not be the case.
Dont know what to do now. |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Mon May 05, 2003 12:34 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
