| Author |
Message
|
| jeevan |
 Posted: Sat Oct 16, 2010 2:27 am Post subject: Can we create AMQCLCHL.TAB file programmatically? |
 |
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| We are trying to automate processes as much as possible. One of the activities we do ( not very often) is creating CCDT file for client connection. we have automated process to create the mqclient.ini but still we have to recreate the AMQCLLCHL.TAB file somewhere where there is a qmgr running and copy over to the destination. I am thinking whether there is a way to create this file programmmatically. Do any one of you know we can do this ? |
|
| Back to top |
|
 |
| exerk |
| Posted: Sat Oct 16, 2010 4:29 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Create a 'reference' CCDT by copying out a clean AMQCLCHL.TAB file, then use the MO72 SupportPac to edit a copy of it. Worth a shot to see whether the necessary statements can be piped in, or maybe even worth an enhancement request to the maintainer?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Sat Oct 16, 2010 4:41 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
You can re-build from "source" form easily with MO72. Plenty of options - I just run it without connecting to any queue manager.
Frankly the whole CCDT thing is outdated, it should be an editable file. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Oct 16, 2010 6:26 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
...like XML. Should I start the WMQ v8 rumor now?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Oct 16, 2010 8:41 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
deleted as requested.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Oct 16, 2010 10:36 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
You can re-build from "source" form easily with MO72. Plenty of options - I just run it without connecting to any queue manager.
Frankly the whole CCDT thing is outdated, it should be an editable file. |
It is. Use mqsc and the edit language is the same as runmqsc commands...
You don't have to fully rebuild from scratch, you can also use alter commands... having it in XML will just make the editing more programmatic or more manual... in other words ... same difference but for the ease of reading and manipulation by the non authorized...
Hard to prove malicious intent if somebody modifies an XML file.
Easier to do if you can prove that the person had to first download/access a support pack before manipulating the file... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Sun Oct 17, 2010 12:31 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Editable to me means changes take effect immediately like an ini file.
The CCDT is not a security control, it only hold connection details that can also be supplied in other, less convenient, ways. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Oct 17, 2010 7:52 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
Editable to me means changes take effect immediately like an ini file.
The CCDT is not a security control, it only hold connection details that can also be supplied in other, less convenient, ways. |
I'd say MO72 makes it editable according to your definition.
Like with an .ini file you may have to restart the app for the change to carry through....
Sorry but when the CCDT contains security information like SSLPEER and cipher suite, it makes it a security control in my eyes.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Oct 18, 2010 3:15 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Yes, but making it not directly editable is not a security control.
If someone can update the CCDT file they can quite easily use MO72 to do it.
So the format of the file does not affect the security purpose of the file.
You can't rely on client side definitions in any case to secure a queue manager.
If I was trying to make a client (under my control) break into a QM I could put whatever I wanted on the client side.
My point was that the use of a "compilation" phase seems pointless for such a simple table.
A directly editable file would be much easier to manage. |
|
| Back to top |
|
|
| jeevan |
| Posted: Mon Oct 18, 2010 4:42 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| zpat wrote: |
Yes, but making it not directly editable is not a security control.
If someone can update the CCDT file they can quite easily use MO72 to do it.
So the format of the file does not affect the security purpose of the file.
You can't rely on client side definitions in any case to secure a queue manager.
If I was trying to make a client (under my control) break into a QM I could put whatever I wanted on the client side.
My point was that the use of a "compilation" phase seems pointless for such a simple table.
A directly editable file would be much easier to manage. |
I agree. Making CCDT non editiable doe not make it more secure rather more non user friendly. People can use OS mechanism to control the file ( who can edit, who can only read etc).
Lets hope IBM will make changes in this in upcoming release of MQ. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Oct 19, 2010 3:36 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
The CCDT seems to go back to the dark ages of MQ and computing, where a binary format was quicker and easier to process by the MQ Client libraries, rather than needing to parse a text format configuration (like an .ini or XML file), and build an internal CLNTCONN channel defintion. CCDT is an IBM proprietary format but some public reverse engineering efforts show it to be basically a linked list of MQCD structures, as expected.
_________________
Glenn |
|
| Back to top |
|
|
|
|
