| Author |
Message
|
| sridhsri |
 Posted: Thu Apr 23, 2009 10:46 am Post subject: Client Connection Exit |
 |
|
Master
Joined: 19 Jun 2008
Posts: 297
|
I have MQ 7.0.0.1 Server and Client installed on Windows. I have created a Server connection channel and a client connection channel pair. I have set the SCYEXIT attribute for both channels. My exit (it is the same exit for both types of channels) exists in the default exit path.
When I try to connect using a MQ Java Application (which is connecting to the queue manager using a client connection table), only the MQCHT_SVRCONN is being executed. The code never reaches MQCHT_CLNTCONN.
My guess is that the client is not loading the exit. I checked my registry and the default exit paths are all correct. I even added a ClientExitPath stanza in the mqclient.ini file.
Why isn't my client loading the exit ? |
|
| Back to top |
|
 |
| gbaddeley |
| Posted: Thu Apr 23, 2009 5:04 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
Does it load & run when you use the CCDT with a C program, such as the amqsputc sample? Did you check the client error log for diagnostic messages?
_________________
Glenn |
|
| Back to top |
|
|
| sridhsri |
| Posted: Thu Apr 23, 2009 5:09 pm Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
That is the thing. It doesn't get loaded - ever!
I did try using the amqscnxc program shipped with the samples. While using that sample, I wasn't able to get it working with the MQCHLTAB and MQCHLLIB variables. But I was able to get it working with the -x and -c parameters. Even with this application, my client connection exit was not loaded.
I think there are two possibilities for why this may not be working. Either MQXR_INIT_SEC is not returning the right return value which could be why the client exit is not loaded or the application is just not loading the exit.
I don't get any error when the applications run. It just wont go to the part of code for CLNTCONN. |
|
| Back to top |
|
|
| sridhsri |
| Posted: Thu Apr 23, 2009 5:56 pm Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
| I don't think it is the return value any more. I am pretty sure the exit is not even loaded by the application. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Apr 24, 2009 2:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Right, so the java app has to specifically use the CCDT when building your connection in order to get a C based exit to run.
Or you have to write a Java exit that calls your C exit.
There is discussion of this somewhere in the Java manual or in the Clients manual. |
|
| Back to top |
|
|
| sridhsri |
| Posted: Fri Apr 24, 2009 5:08 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
Hey Jeff,
The Java Application is using the CCDT. The Java Application is also able to put a message on the queue. The client connection channel definition has the SCYEXIT property set.
I don't understand what you said:
| Quote: |
Or you have to write a Java exit that calls your C exit.
|
I know that we could write a security exit in Java. But I didn't know that the Java exit could load/call the C Exit. I'll look up the Java or Client Manual. |
|
| Back to top |
|
|
| sridhsri |
| Posted: Fri Apr 24, 2009 5:16 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
Hey Jeff,
I got it. I need to implement "MQExternalSecurityExit". I am going to experiment with this now. |
|
| Back to top |
|
|
| sridhsri |
| Posted: Fri Apr 24, 2009 5:22 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
The MQExternalSecurityExit is no longer available in MQ v7.0.
Here is the quote from the documentation:
| Quote: |
| In WebSphere MQ Version 7.0, you can specify the name of a channel exit program written in C as a String passed to the channelSecurityExit, channelSendExit, or channelReceiveExit fields in the MQEnvironment object or properties Hashtable. Specify the exit program name in the format library(function) and ensure that the location of the exit program is included in the path environment variable. |
|
|
| Back to top |
|
|
| sridhsri |
| Posted: Fri Apr 24, 2009 5:34 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
| That didn't work either. Still isn't getting loaded and I see no errors. My Java application can still put messages. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Apr 24, 2009 6:42 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
Coding an MQ security exit is an advanced-level topic and is extremely complex because you need to indepth knowledge of multiple languages. i.e. C, Java, C# (for .NET), etc..
Secondly, WMQ v7.0.0.0 and v7.0.0.1 is full of client-side security exit bugs. I personally have 3 PMRs opened for client-side issues and I know T.Rob has 3 PMRs opened for 3 different security bugs. Supposedly, all of these fixes will be in v7.0.0.2.
Finally, why rebuild the wheel when there are already 3 fully supported solutions in the market place:
1. Capitalware's MQ Authenticate User Security Exit (MQAUSX)
2. IBM's WebSphere MQ Extended Security Edition
3. Primeur's Data Secure for WebSphere MQ
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| sridhsri |
| Posted: Fri Apr 24, 2009 7:08 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
| You make a very fair point about existing solutions. I don't intend to replace them. My work was not intended for any customer or to be deployed on production queue managers. But I am nevertheless curious and inquisitive. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Apr 24, 2009 7:29 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
Lets look at it from a company cost perspective. If your company pays you $50 per hour and you have spent 10 hours coding, debugging and testing without any success, the cost to the company so far is $500.
A single license for MQAUSX costs $499.
By the time you are done getting a basic solution working you will most likely spend 200 hours (probably a lot higher). This is before support costs.
Hence, your company would have spent $10,000 (200 * $50). For $10,000, you could have purchased 22 MQAUSX licenses (22 *$449 - volume discount) for a supported product.
Something to think about. 
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| sridhsri |
| Posted: Fri Apr 24, 2009 7:43 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
Excellent math Roger! 
But, I get MQ ESE for free!
I come from the school of thought where "Buy a hungry man lunch and he eats for a day. Teach a hungry man to fish and he never goes hungry again"
I'll think of it as my "company" is asking me to learn fishing  |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Apr 24, 2009 8:16 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| sridhsri wrote: |
| But, I get MQ ESE for free! |
WMQ ESE is not free. Your company spent a huge some of money, one way or another, to get WMQ ESE.
| sridhsri wrote: |
I come from the school of thought where "Buy a hungry man lunch and he eats for a day. Teach a hungry man to fish and he never goes hungry again"
I'll think of it as my "company" is asking me to learn fishing |
It should be "requested" and not "think". Secondly, this is a double-edged statement. Where do you want to be on the food chain? Learning the complexes of WMQ ESE is a valued skill and is higher on the food chain.
i.e. In the morning, I want a cup of coffee. I don't grow my own beans and I don't build my own coffee maker. I buy the coffee I like and I purchased a good quality coffee maker because I want to be higher on the food chain as I have better things to do with my time. 
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| sridhsri |
| Posted: Fri Apr 24, 2009 8:33 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
Excellent point again Roger!
I don't need convincing that MQ customers shouldn't be writing their exits - esp. when proven solutions like MQ ESE already exist.
p.s: MQ ESE is free for me - the "company" it work for, makes it |
|
| Back to top |
|
|
|
|
