| Author |
Message
|
| RogerLacroix |
 Posted: Thu May 20, 2010 9:25 am Post subject: Noodle Twisters for anyone (Security stuff) |
 |
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
All,
Ok, I have couple of noodle twisters for everyone.
Noodle Twister #1: The MQCXP structure has a field called "FAPLevel". The comments say "Negotiated Formats and Protocols level" but where is this field documented or does anyone know what its purpose is? I know it has a default value of 8 but that is all I know. Does it have anything related to XA transactions?
Noodle Twister #2: I created a super simple program to do: MQCONNX, sleep for 1 minute and then MQDISC (no other MQ API calls). When I issue the display channel status against the channel when it is running (sleeping actually), I see RAPPLTAG field with the application name.
| Code: |
dis chs(TEST.CHL) RAPPLTAG
9 : dis chs(TEST.CHL) RAPPLTAG
AMQ8417: Display Channel Status details.
CHANNEL(TEST.CHL) CHLTYPE(SVRCONN)
CONNAME(127.0.0.1) CURRENT
RAPPLTAG(TestMQ\Release\conn_wait.exe)
RQMNAME( ) STATUS(RUNNING)
SUBSTATE(RECEIVE) XMITQ( ) |
How did RAPPLTAG field get the value? I have checked both MQCXP and MQCD structures and I do not see anything that would give me the application name. From a security exit point of view, this is REALLY useful information.
Calling all techies to put their propeller hat on. 
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Thu May 20, 2010 10:08 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Propeller beanies.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| zonko |
| Posted: Thu May 20, 2010 12:27 pm Post subject: |
|
|
Voyager
Joined: 04 Nov 2009
Posts: 78
|
| The app name is sent in one of the initial data exchanges, when the client channel starts. There can be several of these flows negotiating the channel settings. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu May 20, 2010 2:34 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu May 20, 2010 3:04 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| zonko wrote: |
| The app name is sent in one of the initial data exchanges, when the client channel starts. There can be several of these flows negotiating the channel settings. |
Yeah, this is visible to a Send / Receive exit.
_________________
Glenn |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu May 20, 2010 3:12 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| From a security exit point of view, this is REALLY useful information. |
Are you sure about the send/receive exits? iirc some of the startup stuff isn't sent into the s/r exits.
_________________
-wayne |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu May 20, 2010 3:15 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| wschutz wrote: |
| Are you sure about the send/receive exits? iirc some of the startup stuff isn't sent into the s/r exits. |
Yes. My SupportPac MA0Z can run as a Send/Receive exit on a CLNTCONN/SVRCONN channel and it logs the client application name by inspecting the initial connection flows.
_________________
Glenn |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu May 20, 2010 6:13 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| gbaddeley wrote: |
| wschutz wrote: |
| Are you sure about the send/receive exits? iirc some of the startup stuff isn't sent into the s/r exits. |
Yes. My SupportPac MA0Z can run as a Send/Receive exit on a CLNTCONN/SVRCONN channel and it logs the client application name by inspecting the initial connection flows. |
Fair enough, but I think Roger is talking about the Security exit point.
_________________
-wayne |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri May 21, 2010 2:21 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
All,
Thanks for the info - I was hoping I had missed something. It is very strange that lots of information flows over a SVRCONN on startup, but some of it is not exposed to a security exit.
Glen, do you know of any fields that hold info related to XA for a security exit.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat May 22, 2010 8:20 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| RogerLacroix wrote: |
All,
Thanks for the info - I was hoping I had missed something. It is very strange that lots of information flows over a SVRCONN on startup, but some of it is not exposed to a security exit.
Glen, do you know of any fields that hold info related to XA for a security exit.
Regards,
Roger Lacroix |
Roger, can you please be a little more clear in what you are trying to do?
I fail to understand what XA or non XA has to do with a security exit.
I would expect it to matter to transactional info but I would not expect that to be accessible through a security exit... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun May 23, 2010 3:03 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| wschutz wrote: |
| Fair enough, but I think Roger is talking about the Security exit point. |
Yes, he is, but zonko mentioned initial data flows, and I stated these were in in Send / Receive exits, not the Security exit.
_________________
Glenn |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun May 23, 2010 3:18 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| RogerLacroix wrote: |
| Glen, do you know of any fields that hold info related to XA for a security exit. |
Hi Roger. I've never encountered this sort of info in my many dealings with security exits. I doubt there is any indiciation in the MQCXP, MQCD or MQCSP structures.
Quote from WMQ Intercommunication: "byte 10 of the agent buffer identifies the API call in use when the send or receive exit is called." This includes values for XA related calls. The sad thing is that Security exits don't see this agent buffer containing the transmission segment 
_________________
Glenn |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue May 25, 2010 2:01 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| fjb_saper wrote: |
can you please be a little more clear in what you are trying to do?
I fail to understand what XA or non XA has to do with a security exit. |
Its all about adding more "value" (features) to MQAUSX (and MQSSX).
MQAUSX central feature is to do UserID and Password authentication against LDAP, Active Directory, Local OS or an encrypted FBA file. The secondary features include
- Limiting the number of connections per channel
- Filter (allow or reject) by IP Address, UserID and/or SSL DN
- Use of Proxy UserIDs
- Alerts written to event queue or syslog
- etc.
Hence, for RAPPLTAG, it would just be another field to filter against so that the connection would be allowed or rejected. For XA feature, maybe people want to force that client connections to be using ETC feature.
If you give people a product with many attractive features then when they spend money on the product, they feel they are getting value for their money.
| gbaddeley wrote: |
| I've never encountered this sort of info in my many dealings with security exits. |
Too bad.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
