Author |
Message
|
sidy |
Posted: Wed Oct 19, 2005 4:00 pm Post subject: Using API exit to limit queue access ? |
|
|
 Newbie
Joined: 10 Jul 2002 Posts: 5 Location: Australia
|
G'Day all,
A question for you all...
If I have 1000 clients using the same channel (Server con) to connect
to a queue manage (v5.3 on Windowns NT) can I use an API exit to
restrict the queues they can access so that client 1 can only access
client1.queue and client2 can only access client2.queue etc, without
using a security exit ? _________________ ==================
Sid Young
Brisbane
Australia
================== |
|
Back to top |
|
 |
wschutz |
Posted: Wed Oct 19, 2005 4:19 pm Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
This has been discussed many times ... use the "search" functon to check
for "client and channel and security"
Also, read the MQ Security and Client and Intercommunications manuals
If you still have questions, then ask here _________________ -wayne |
|
Back to top |
|
 |
sidy |
Posted: Wed Oct 19, 2005 5:00 pm Post subject: |
|
|
 Newbie
Joined: 10 Jul 2002 Posts: 5 Location: Australia
|
Hi,
I had performed a search prior to asking the question and nothing relevant to the specific problem domain was found... if you know a specific message post that has a solution please send it to me I am keen to see if this has been solved via an API exit. I have also read the manuals many times over the years so I have an idea of what is in them.
Thanks _________________ ==================
Sid Young
Brisbane
Australia
================== |
|
Back to top |
|
 |
wschutz |
Posted: Wed Oct 19, 2005 5:07 pm Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
Okay. First question... why not just use standard security (setmqaut) to do this?
(maybe you can explain what you mean by "cliient 1"... userid. machine id, ip address?) _________________ -wayne |
|
Back to top |
|
 |
sidy |
Posted: Wed Oct 19, 2005 5:43 pm Post subject: |
|
|
 Newbie
Joined: 10 Jul 2002 Posts: 5 Location: Australia
|
Ok,
Let me explain this a bit furthur. I need to roll out a system to 3500 users around the world who already have our application and connect to an WMQ server to collect encrypted data. The software connects automatically at different times during the day and all clients connect on one channel and stay connected for about 60 seconds to collect data and then disconnect. there are 6 listeners running to share the load. At anyone time 600 clients might be connected.
There are 3 queues per client. so there are all up about 10,000 queues being used. The new system will split the clients to 4 servers which will be in different geographic regions.
The MCAUSER is set to a principal that has limited access to a set number of local queues. The queue names start with a certain name scheme
say DATA_xxxx.type the authorities are set to allow them +browse +get +put as required to the different type of local queues. All channels use BlockIP2 security exits to restrict MCA and connection details. There are no security exists on the clients just yet as all data is encrypted by default.
I have the capability to instruct the clients via an encrypted XML message to change connection hosts so I can move them to the new systems in one hit.
However.....!
I now want a smarter way to limit the client when it connects on the channel. If I can do it via an API exit (not a security exit) so that they can only open and get from specific queues based on there site code (thats the xxxx part in the queue name) then I don't need to roll out a new client application or a security exit to the clients (Clients are located all over the world).
I have searched for API security exit questions and cannot find an answer so far.
So that is my question... can an API exit be used to restrict an incomming client to a specific set of queues if i know the clients ID, but keep in mind they all have the same MCA and channel.
Sid _________________ ==================
Sid Young
Brisbane
Australia
================== |
|
Back to top |
|
 |
wschutz |
Posted: Wed Oct 19, 2005 6:09 pm Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
Well, I don't see why you couldn't use the API exit. MQAXC has things like the channel name, connection name and the exit gets called on the MQOPEN. _________________ -wayne |
|
Back to top |
|
 |
wschutz |
Posted: Thu Oct 20, 2005 6:12 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
Oh, and by the way, the sample program that ships with MQ
(amqsaxe0) is a great tool for understanding how the crossing exit works. _________________ -wayne |
|
Back to top |
|
 |
harry_hotdog |
Posted: Thu Oct 20, 2005 6:38 am Post subject: |
|
|
Novice
Joined: 19 Oct 2005 Posts: 10 Location: England
|
You could use a RCV exit at the server, and check the operation being carried out by the client. The meaning of some values of byte 10 of the TSH in client data flows has been published by IBM (Intercomms manual Table 52 Identifying API Calls at 5.3), so you could test for an MQOPEN request (byte 10 = x83), then search for the MQOD in the client data and check whether it is a queue name the client is allowed to open.
You can maintain a table on the server of which queues each client is allowed to open.
If the client is not allowed to open the queue specified in the OD, you could alter the OD to contain a non-existent queue name, and the client would be returned a 2085 reason code. |
|
Back to top |
|
 |
wschutz |
Posted: Thu Oct 20, 2005 6:48 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
You could use a receive exit, but I think it is much cleaner to use the API exit and only register for open calls (and more efficient). Plus, with the API exit, you can choose what value to return if you don't like the open call (like: 2035) _________________ -wayne |
|
Back to top |
|
 |
hopsala |
Posted: Thu Oct 20, 2005 12:07 pm Post subject: |
|
|
 Guardian
Joined: 24 Sep 2004 Posts: 960
|
I'm with wayne here, the RCV exit design concept is that it is called more than once per message (you cannot control how many times), which indeed fits in with compression and encryption schemes but is completely ineffective for coding authentication. A much better way would be, as wayne suggested, to take over MQOPEN calls - this is how the QM provides normal authentication, you should do the same.
However, IMO, you'd be better off using a different code than 2035, to avoid confusion and speed up problem determination. |
|
Back to top |
|
 |
fjb_saper |
Posted: Thu Oct 20, 2005 3:21 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
As you are using blockIP why not loose the MCAUSER, disallow for blank in block ip and setup setmqaut for the groups?
Enjoy  |
|
Back to top |
|
 |
|