| Author |
Message
|
| Sam Uppu |
 Posted: Tue Sep 22, 2009 7:38 pm Post subject: issue with Security exit |
 |
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
Hi Guys,
We are running on AIX 5.3 with MQ ver 7.0.0.2.
We are planning to implement BlockIP2 security exit.
We have defined a serverconn channel(TEST.SVRCONN) on TESTQMGR and altered the channel attributes SCYDATA and SCYEXIT as below
SCYDATA(FN=/var/mqm/exits/Blockspec.txt;) and SCYEXIT(/var/mqm/exits64/BlockIP2)
When tried to acces the queuemanager from remote client machine we are getting the below errors.
AMQ6175: The system could not dynamically load the shared library
'/var/mqm/exits64/BlockIP2'. The system returned error number '8' and error
message ' 0509-022 Cannot load module /var/mqm/exits64/BlockIP2.
0509-103
The module has an invalid magic number.'. The queue manager will continue
without this module.
EXPLANATION:
This message applies to AIX systems. The shared library
'/var/mqm/exits64/BlockIP2' failed to load correctly due to a problem with the
library.
ACTION:
Check the file access permissions and that the file has not been corrupted.
----- amqxufnx.c : 1156 -------------------------------------------------------
09/22/09 13:31:30 - Process(454696.2089) User(mqm) Program(amqrmppa)
AMQ9535: User exit not valid.
EXPLANATION:
Channel program 'TEST.SVRCONN' ended because user exit
'/var/mqm/exits64/BlockIP2' is not valid.
ACTION:
Ensure that the user exit is specified correctly in the channel definition, and
that the user exit program is correct and available.
----- amqrexta.c : 5858 -------------------------------------------------------
09/22/09 13:31:30 - Process(454696.2089) User(mqm) Program(amqrmppa)
AMQ9999: Channel program ended abnormally.
EXPLANATION:
Channel program 'TEST.SVRCONN' ended abnormally.
ACTION:
Look at previous error messages for channel program 'TEST.SVRCONN' in the error files to determine the cause of the failure
Let me know if I am missing anything in the configuration. |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Tue Sep 22, 2009 9:46 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
SCYEXIT is wrong. check BlockIP2 manual page 11 and page 13.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed Sep 23, 2009 4:21 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| Mr Butcher wrote: |
| SCYEXIT is wrong. check BlockIP2 manual page 11 and page 13. |
I also gave SCYEXIT as in manual ie., scyexit('BlockIP2(BlockExit)')
Still I was geting the same error saying
AMQ6175: The system could not dynamically load the shared library
'BlockIP2(BlockExit)'. The system returned error number '8' and error
message ' 0509-022 Cannot load module BlockIP2(BlockExit).
0509-103
The module has an invalid magic number.'. The queue manager will continue
without this module. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Sep 23, 2009 4:32 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
"Invalid magic number" *always* means that you are trying to use a 64bit executable on a 32 bit environment, or a 32bit executable in a 64bit environment.
You likely need both a 32bit and a 64bit copy of BlockIP deployed to both exits64 and exits directory. |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed Sep 23, 2009 6:34 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| mqjeff wrote: |
"Invalid magic number" *always* means that you are trying to use a 64bit executable on a 32 bit environment, or a 32bit executable in a 64bit environment.
You likely need both a 32bit and a 64bit copy of BlockIP deployed to both exits64 and exits directory. |
The BlockIP2 contains one tar file for AIX and MQ ver6.0. I don't find any copy of 32bit.
I copied the entries on /var/mqm/exits64 into /var/mqm/exits and pointed the SCYEXIT to /var/mqm/exits/BlockIP2. Still I get the same error.
Correct me If I am going wrong anywhere |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Sep 23, 2009 7:01 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
the one tar file may not have a 64 bit compiled exit.
or it may not have a 32 bit compiled exit.
You can never put *the same* file or a *copy* of the same file in both places. |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed Sep 23, 2009 10:02 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
I tried compiling BlockIP2 with 64-bit libraries and 32-bit libraries. I am getting the below error
Cannot find file BlockIP2.exp
Can anyone let me know about BlockIP2.exp |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed Sep 23, 2009 10:32 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
I am able to compile the BlockIP2 with 64-bit and 32-bit libraries.
Thanks for all your inputs. |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Thu Sep 24, 2009 7:23 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
Hi Guys,
I believe this is a good exit for securing MQ from client applications and it is free which my management would love.. .
I am wondering whether we can really trust this BlockIP2 exit?. Anybody using and dont have any issues with this exit?.
In the www.mrmq.dk, Jorgen was saying...using this security exit is on your own risk. This statement scares me whether I can truly trust this exit and suggest my management to go down this path.
Any negative experiences with this exit from anybody?.
Thanks for sharing your thoughts on this. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Thu Sep 24, 2009 10:56 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
you have the source available so you can verify what you are using. it is not a black box.
i started to use it recently, no issues so far.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 25, 2009 7:34 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Sam Uppu wrote: |
I am wondering whether we can really trust this BlockIP2 exit?. Anybody using and dont have any issues with this exit?.
|
If there are, you'll be able to fix them via the code.
| Sam Uppu wrote: |
| In the www.mrmq.dk, Jorgen was saying...using this security exit is on your own risk. This statement scares me whether I can truly trust this exit and suggest my management to go down this path. |
This means that the author is not supporting the exit and instead provided the source code so you can fix it. This also means you can "tweak" it so it better meets the needs of you and your management. Certainly if you have a queue manager outage you'll need to investigate this exit like you would any other unsupported exit (e.g. mirrorq to use an oft-used example).
My experience is that the author here is quite good about developing and fixing the code, but that's my experience and I am in no way connected to the author or authorised to speak on their behalf.
One final thought - with all products you get the support from the authors that you pay for.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| SAFraser |
| Posted: Fri Sep 25, 2009 11:32 am Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
In general, I object to freeware.
But in this case, BlockIP is good code. We have been using it in production for six years without any issue.
My experience with the author is the same as Vitor's, in that he is very good and very responsive.
I mean, the author is good and responsive, not Vitor. No wait, Vitor is good and responsive, too. Oh dear. exerk, where are you when I need you? |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Sep 25, 2009 11:38 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Right here...sorry had me headphone's while I was cleaning the dungeon, so didn't hear the scream.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 25, 2009 1:42 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| SAFraser wrote: |
My experience with the author is the same as Vitor's, in that he is very good and very responsive.
|
I'm rendered speechless. Yet pleased my past performance has met with your approval.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 25, 2009 1:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| Right here...sorry had me headphone's while I was cleaning the dungeon, so didn't hear the scream. |
You're listening to those self improvement tapes again - "How to assert for success".
I've told you before - ask me first! 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
