| Author |
Message
|
| SilentWind |
 Posted: Sun Mar 05, 2006 5:44 pm Post subject: MQ JMS Security Exit |
 |
|
Acolyte
Joined: 11 Jan 2006
Posts: 58
|
How do I transmit the MCAUserID in my customised SecurityExit.java?
Currently I have
public byte[] securityExit (MQChannelExit mce, MQChannelDefinition mcd, byte[] b)
switch (mce.exitReason):
// some codes
case MQC.MQXR_INIT_SEC:
// i need some sample code here
break;
// some codes
return b; |
|
| Back to top |
|
 |
| wschutz |
| Posted: Mon Mar 06, 2006 10:39 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Your java client security exit must send the userid in the "security flow" to a partner server side security exit, which then places that userid into the MCAUserIdentified field of the MQCD parm.
The "Intercommunications" manual explains how to write security exits to pass "security flows' to each other ..... have fun.... 
_________________
-wayne |
|
| Back to top |
|
|
| SilentWind |
| Posted: Mon Mar 06, 2006 6:16 pm Post subject: Thanks |
|
|
Acolyte
Joined: 11 Jan 2006
Posts: 58
|
I understand what you mean. But I cant find any suitable calls to MQChannelDefinition to retrieve the MCAUserID in the client. I do not want to pass it through from the channel prop in the qmgr.
Can you provide a few lines of sample Java code for the client side to retrieve the MCAUserID under MQC.MQXR_INIT_SEC? |
|
| Back to top |
|
|
| wschutz |
| Posted: Tue Mar 07, 2006 2:31 am Post subject: Re: Thanks |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| SilentWind wrote: |
| But I cant find any suitable calls to MQChannelDefinition to retrieve the MCAUserID in the client. |
Thats because there is no MCAUserID on the client end of the channel (clntconn). MCAUserID only exists in the server end (svrconn), and you can't have a secrity exit in Java anywhere but on the client end....
Tell use exactly what you are trying to do ..ie where you want the userid to come from...(like, i want to send the userid who signed and is running the java application or some such....)
_________________
-wayne |
|
| Back to top |
|
|
| SilentWind |
| Posted: Tue Mar 07, 2006 10:45 pm Post subject: Hi |
|
|
Acolyte
Joined: 11 Jan 2006
Posts: 58
|
I want to control unauthorized java clients from connecting to the MQ server. But I do not want to use the following methods
- use windows id to authenticate
- put MCAUserid in the channel properties
I have a SecurityExit in place to authenticate but the MCAUserid gets into the way, i.e. if i supply the correct userid/pw to my securityexit, it works, but if I supply no userid/pw, it still connects due to the MCAUserid.
Therefore I want to ask: how do I pass in my own MCAUserid from the java client to pass to the server?
[/b] |
|
| Back to top |
|
|
| wschutz |
| Posted: Wed Mar 08, 2006 2:30 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
fair enough, but you have to have a svrconn security exit to set the MCAUser, you can't do it from the clntconn side.... and as i said before, you would use a security flow to pass the userid from the clntconn side to the svrconnn side of the channel....
_________________
-wayne |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Mar 08, 2006 5:41 am Post subject: Re: Hi |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| SilentWind wrote: |
But I do not want to use the following methods
- use windows id to authenticate
- put MCAUserid in the channel properties |
Why not use SSL?
Or do you think you can't control your client machines well enough to secure the certs?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Mar 08, 2006 1:09 pm Post subject: Re: Hi |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| jefflowrey wrote: |
| SilentWind wrote: |
But I do not want to use the following methods
- use windows id to authenticate
- put MCAUserid in the channel properties |
Why not use SSL?
Or do you think you can't control your client machines well enough to secure the certs? |
Hi,
MQ Authenticate User Security Exit can do everything that you you are trying to accomplish.
- Login with a valid OS UserID & password (i.e. fred & abc) then use a different UserId (i.e. barney) for MQ interaction
- Login with a valid OS UserID & password (i.e. fred & abc) then use it (i.e. fred) for MQ interaction
- Login with a invalid OS UserID & password (i.e. fred & abc123) then the connection is rejected.
For more information, on MQAUSX including support of MS Active Directory, go to http://www.capitalware.biz/mqausx_overview.html
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| SilentWind |
| Posted: Wed Mar 08, 2006 5:22 pm Post subject: Re: |
|
|
Acolyte
Joined: 11 Jan 2006
Posts: 58
|
RogerLacroix: Thanks, I will look into it.
jefflowrey: I will have many clients connecting, ssl could be a hassle. Have not explored that venue tho...
wschutz: Ok, I understand. I will go read up on that first. Thanks. |
|
| Back to top |
|
|
|
|
