| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MCA with Security Exit |
« View previous topic :: View next topic » |
| Author |
Message
|
| samsam007 |
 Posted: Tue Dec 02, 2008 6:15 pm Post subject: MCA with Security Exit |
 |
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
Hi,
I am not sure whether the following scenario invoke MCA authentication,
Remote client has Websphere MQ client software installed.
MQ server is currently with V6.0 or v.70 later.
Remote client establish connection with the MQ server through the server-connection channel.
Server side security exit is installed (with BlockIP2) at the MQ server and been configured to be activated whenever server-connection is established.
I am aware that if the channel connection invoke remote Qmgr and local Qmgr, there should be client and server security exits, but the current situiation is the remote client has no Qmgr setup and only use MQ API established connection with the Qmgr through the server-connection channel.
Your explaination is highly appreciated.
Thanks |
|
| Back to top |
|
 |
| samsam007 |
| Posted: Tue Dec 02, 2008 7:01 pm Post subject: Re: MCA with Security Exit |
|
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
| samsam007 wrote: |
Hi,
I am not sure whether the following scenario invoke MCA authentication,
Remote client has Websphere MQ client software installed.
MQ server is currently with V6.0 or v.70 later.
Remote client establish connection with the MQ server through the server-connection channel.
Server side security exit is installed (with BlockIP2) at the MQ server and been configured to be activated whenever server-connection is established.
I am aware that if the channel connection invoke remote Qmgr and local Qmgr, there should be client and server security exits, but the current situiation is the remote client has no Qmgr setup and only use MQ API established connection with the Qmgr through the server-connection channel.
Your explaination is highly appreciated.
Thanks |
Basically, I want to know if MCA is not invoked from the Remote client application because there is no Qmgr and channel exit at the client end, how does and what machanimsin used for the channel security authentication between remote client application and MQ server over the server connection channel?
Thanks |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Dec 02, 2008 8:32 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
You should read both the WMQ Intercommunication and WMQ Security manual.
The client-side does use a channel (CLNTCONN), does support client-side security exits, does have a client-side channel agent, etc...
Also, there is no such thing as "MCA authentication".
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| samsam007 |
| Posted: Tue Dec 02, 2008 10:29 pm Post subject: |
|
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
| RogerLacroix wrote: |
Hi,
You should read both the WMQ Intercommunication and WMQ Security manual.
The client-side does use a channel (CLNTCONN), does support client-side security exits, does have a client-side channel agent, etc...
Also, there is no such thing as "MCA authentication".
Regards,
Roger Lacroix
Capitalware Inc. |
I actually don't have a client side security exit, only use BlockIP2 to authenticate user-id that sent from the client. The client program is written in Java, with Enviornment.userid populated. |
|
| Back to top |
|
|
| samsam007 |
| Posted: Tue Dec 02, 2008 10:37 pm Post subject: |
|
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
| RogerLacroix wrote: |
Hi,
You should read both the WMQ Intercommunication and WMQ Security manual.
The client-side does use a channel (CLNTCONN), does support client-side security exits, does have a client-side channel agent, etc...
Also, there is no such thing as "MCA authentication".
Regards,
Roger Lacroix
Capitalware Inc. |
Do you meant the CLNTCONN and client-side security exit is *automatically* generated and executed even if I am running only server side security exit on the server-connection channel?
Sory I have read few times the WMQ intercommunication manual as well as the security manual. But they all talk about clietn and server side security exits. I Still can't get a picture of how does a server side only security exit works with a remote client without Qmgr installed.
Thanks |
|
| Back to top |
|
|
| samsam007 |
| Posted: Tue Dec 02, 2008 10:50 pm Post subject: |
|
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
| RogerLacroix wrote: |
Hi,
You should read both the WMQ Intercommunication and WMQ Security manual.
The client-side does use a channel (CLNTCONN), does support client-side security exits, does have a client-side channel agent, etc...
Also, there is no such thing as "MCA authentication".
Regards,
Roger Lacroix
Capitalware Inc. |
After read through the security exit manual, I learn that Message Exits happen on the SVRCONN channel.
Can you tell me in which pages does the document explained about implementing only a server-side security exit to authenticate with a remote client user-id without creating a client-side security exit? I remembered I read a document mentioned that, but can't remember which document was. It is not from one of those *well-known* IBM manuals.
Thanks |
|
| Back to top |
|
|
| samsam007 |
| Posted: Tue Dec 02, 2008 10:53 pm Post subject: |
|
|
Centurion
Joined: 30 Oct 2008
Posts: 107
|
| samsam007 wrote: |
| RogerLacroix wrote: |
Hi,
You should read both the WMQ Intercommunication and WMQ Security manual.
The client-side does use a channel (CLNTCONN), does support client-side security exits, does have a client-side channel agent, etc...
Also, there is no such thing as "MCA authentication".
Regards,
Roger Lacroix
Capitalware Inc. |
After read through the security exit manual, I learn that Message Exits happen on the SVRCONN channel.
Can you tell me in which pages does the document explained about implementing only a server-side security exit to authenticate with a remote client user-id without creating a client-side security exit? I remembered I read a document mentioned that, but can't remember which document was. It is not from one of those *well-known* IBM manuals.
Thanks |
I remembered it said that there is can be only server-side security exit, in this case, the user-id from the remote client is in the macuser field, which is defined by Enviornment.userid in java for example. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Dec 03, 2008 8:37 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| samsam007 wrote: |
| I remembered it said that there is can be only server-side security exit, in this case, the user-id from the remote client is in the macuser field, which is defined by Enviornment.userid in java for example. |
Security exits can run on both the client-side and server-side of client channels. Obviously the code is different on each side. Generally they negotiate using encrypted security messages (eg. to send and authenticate credentials like userid and password)
Without a client-side security exit you cannot trust *anything* that MQ provides to the server-side security exit because the MQ client protocol can be easily spoofed by an attacker.
_________________
Glenn |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
