| Author |
Message
|
| bbburson |
 Posted: Mon Jul 31, 2006 11:06 am Post subject: SOLVED: Security exit behavior change |
 |
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
We have a locally-developed security exit that runs on SVRCONN channels to validate the source IP address of a client connection. In migrating it to 64-bit code for WMQ v6 the developer reports that the CONNAME that included the client's IP address in v5.3 now shows 0.0.0.0 instead.
Any ideas why this changed and where he can find the correct IP address in the connection info?
Last edited by bbburson on Tue Aug 08, 2006 12:43 pm; edited 1 time in total |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Mon Jul 31, 2006 11:25 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You're probably seeing the IP address of the connection coming from the MCA, rather than from the client itself.
You probably need to have your exit run on both the client and the server side and stream the necessary information from one to another.
You're probably much better off implementing a firewall or Extended Security Edition, or maybe a third-party solution.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| markt |
| Posted: Mon Jul 31, 2006 12:23 pm Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
| Believe it's a known bug. Check service. |
|
| Back to top |
|
|
| bbburson |
| Posted: Mon Jul 31, 2006 12:41 pm Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| markt wrote: |
| Believe it's a known bug. Check service. |
Thanks Mark. In MQXR_INIT we're seeing
| Code: |
Mon Jul 31 15:23:27 2006
: MQXR_INIT
Mon Jul 31 15:23:27 2006
: pChDef->ConnectionName = 0.0.0.0
|
By "check service" I assume you mean "open a PMR." Will do. |
|
| Back to top |
|
|
| bbburson |
| Posted: Tue Aug 01, 2006 7:08 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| Forgot to mention, this strangeness is seen on HP-UX 11.11 ONLY. The recompiled-for-64bit-exit works as intended on Solaris and AIX. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 01, 2006 7:24 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Well, if you'd mentioned that, I wouldn't have guessed wrong. 
A firewall is still a better solution, in my opinion. Doesn't require restarting the qmgr if you upgrade.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bbburson |
| Posted: Tue Aug 01, 2006 8:15 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| jefflowrey wrote: |
| Well, if you'd mentioned that, I wouldn't have guessed wrong. |
Sorry for the confusion.
| jefflowrey wrote: |
| A firewall is still a better solution, in my opinion. Doesn't require restarting the qmgr if you upgrade. |
No arguments here. This exit is actually a stop-gap measure for the few of our applications that for whatever reason cannot do SSL yet. |
|
| Back to top |
|
|
| markt |
| Posted: Tue Aug 01, 2006 8:34 am Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
IY86343
<ERROR_DESCRIPTION>
The ConnectionName and ShortConnectionName fields in the MQCD
passed to an exit on a receiver-type channel, for example a
RCVR or SVRCONN, are set to 0.0.0.0 if the UNIX listener inetd
is used. The fields are correctly set if runmqlsr is used.
Also, the CONNAME displayed in runmqsc for the channel is
0.0.0.0.
</ERROR_DESCRIPTION>
Not yet included in an official fixpack. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 01, 2006 8:51 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| bbburson wrote: |
| jefflowrey wrote: |
| Well, if you'd mentioned that, I wouldn't have guessed wrong. |
Sorry for the confusion. |
No worries! 
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bbburson |
| Posted: Tue Aug 01, 2006 9:35 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| markt wrote: |
IY86343
<ERROR_DESCRIPTION>
The ConnectionName and ShortConnectionName fields in the MQCD
passed to an exit on a receiver-type channel, for example a
RCVR or SVRCONN, are set to 0.0.0.0 if the UNIX listener inetd
is used. The fields are correctly set if runmqlsr is used.
Also, the CONNAME displayed in runmqsc for the channel is
0.0.0.0.
</ERROR_DESCRIPTION>
Not yet included in an official fixpack. |
Sorry, Mark, but I must disagree. We use runmqlsr only, and I just logged on to verify that the inetd listener has not jumped in there by mistake. So there must be more to it. We have opened a PMR and will see what comes of that. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 01, 2006 10:01 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Also, I have seen error messages in AMQERR01.LOG "in the wild" on AIX and HP-UX with the '0.0.0.0' address for what I know are svrconns.
So I had more than one reason for guessing wrong.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bbburson |
| Posted: Tue Aug 08, 2006 12:42 pm Post subject: solved |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| Turns out IY86343 is needed on HP-UX systems even if runmqlsr is used. IBM provided the files for this fix and the exits are working as expected now. Thanks for the pointers and help here. |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Wed Aug 09, 2006 9:11 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
It turns out that the problems also can apear on Windows and the other UNIX implementations.
A description is found here on IBM.com
-- Lock it or Lose it -- 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| Hassan |
| Posted: Fri Aug 18, 2006 6:27 am Post subject: |
|
|
Voyager
Joined: 01 Apr 2004
Posts: 81
Location: Toronto, Canada
|
| I just had them add iSeries to the list of platforms. We experienced the same problem on our iSeries systems. Although it was not so much of a problem as yet, since we are not using block ip type security exits. |
|
| Back to top |
|
|
| dutchman |
| Posted: Mon Sep 04, 2006 3:49 am Post subject: |
|
|
Acolyte
Joined: 15 May 2001
Posts: 71
Location: Netherlands
|
Hi - I upgraded 2 machines last Sat and am experiencing the same conname(0.0.0.0) problem. My system is on Linux and it happens regardless of whether an exit is used. Also, I'm using runmqlsr as the listener.
I followed the link that was posted and was interested to see that the Hp fix was to apply refresh pack 6.0.2.1 - but afaik that cannot be downloaded as yet.
Cheers ... R |
|
| Back to top |
|
|
|
|
