| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Connect to Queue Manager from Global.asax file of web site |
« View previous topic :: View next topic » |
| Author |
Message
|
| maslen1986 |
 Posted: Thu Dec 02, 2010 3:33 am Post subject: Connect to Queue Manager from Global.asax file of web site |
 |
|
Newbie
Joined: 02 Dec 2010
Posts: 5
|
So, about task:
Using Websphere MQ API's in Global.asax file of my web site try to start quque listener in event Application Start. Part of procedure:
| Code: |
public void Listen(string qmName, string queueName, string strChannelInfo, string ConnectUserID, string ConnectUserPassword, string KerberosString)
{
string channelName;
string transportType;
string connectionName;
string port;
char[] separator = { '/' };
string[] ChannelParams;
if (KerberosString == null)
{ KerberosString = ""; }
if (ConnectUserID == null)
{ ConnectUserID = ""; }
if (ConnectUserPassword == null)
{ ConnectUserPassword = ""; }
MQQueueManager mqManager = null;
MQQueue queue = null;
MQGetMessageOptions gmo = null;
CatalogBedForSend GetSendedCatalog;
try
{
ChannelParams = strChannelInfo.Split(separator);
channelName = ChannelParams[0];
transportType = ChannelParams[1];
connectionName = ChannelParams[2];
port = ChannelParams[3];
int openOptions = MQC.MQOO_INPUT_AS_Q_DEF | MQC.MQOO_FAIL_IF_QUIESCING;
Hashtable properties = new Hashtable();
properties.Add(MQC.HOST_NAME_PROPERTY, connectionName);
properties.Add(MQC.PORT_PROPERTY, int.Parse(port));
if (ConnectUserID != "")
{
properties.Add(MQC.USER_ID_PROPERTY, ConnectUserID);
properties.Add(MQC.PASSWORD_PROPERTY, ConnectUserPassword);
}
properties.Add(MQC.CHANNEL_PROPERTY, channelName);
properties.Add(MQC.TRANSPORT_PROPERTY, transportType);
properties.Add(MQC.SECURITY_EXIT_PROPERTY, KerberosString);
mqManager = new MQQueueManager(qmName, properties); //so here will be error about - user not pass authorization (error code:
//2035 0x000007f3 MQRC_NOT_AUTHORIZED
queue = mqManager.AccessQueue(queueName, openOptions);
gmo = new MQGetMessageOptions();
gmo.Options = MQC.MQGMO_FAIL_IF_QUIESCING | MQC.MQGMO_WAIT;
gmo.WaitInterval = MQC.MQWI_UNLIMITED;
MQMessage message = new MQMessage();
message.Format = MQC.MQFMT_STRING;
queue.Get(message, gmo);
|
Problem is that : IIS application pool work on Netwrok Service account. I know, that I can change user name from whoose name IIS will work in Global.asax to any user of mqm group and it will work without error. But I tested it only when Websphere MQ server work on same server and domain with my asp.net application.
Main Question: If I want to connect to Web sphere MQ queue manager of other domain, how I can pass authorization to it queue manager? As you can see I'am using kerberos string to connect to channel (it require of my customer). My idea is - to pass in MQC.USER_ID_PROPERTY and MQC.PASSWORD_PROPERTY properties user profiles of that domain, where i must connect (also that user must be in mqm group of that domain). I'am think wright, or anybody know other way? Please, need help) |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Dec 02, 2010 5:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
My knowledge of IIS is much the same as my knowledge of the dark side of the Moon (and not the piece of music) but one point that leaps out is that it's a really, really bad idea for any connected user who isn't a human administrator to be a member of the mqm group. If your client is so security aware they're using Kerberos then the first security audit will flag that for sure.
How you get IIS to pass an id, no idea. I'd set MCAUser and authorise that (by which I mean authorise, not whack it into the mqm group).
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| maslen1986 |
| Posted: Thu Dec 02, 2010 8:42 am Post subject: |
|
|
Newbie
Joined: 02 Dec 2010
Posts: 5
|
| starting iis application pool from foreign user accout-is like plan B and it can only help if iis process connecting to websphere in same domain,but my system must work with many different domains) my customer show they server with websphere mq 6.0. they patched it and now it can use Kerberos. When they show server channel connection context menu,inside it apper parametr "object authorities" when they open it -there web sphere explorer show users;but those users are not active directory users,they creating only in websphere explorer...and it make me crazy... |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Dec 02, 2010 8:49 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
So your problem is not using IIS per se, but using WMQ with domain accounts. The users listed in the Websphere Explorer are not created only in Explorer as you claim, but might well be local users on that machine.
There's a wealth of discussion on the user of domain accounts & AD accounts on this forum which will at least demonstrate you're not the only person driven crazy by this Windows technology. But it is possble to get this to work.
It's also possible (and common) to use MCAUser to enforce a local id. There's a wealth of discussion on that as well, including the benefits of doing this for security reasons even if you don't strictly need to.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| maslen1986 |
| Posted: Thu Dec 02, 2010 9:22 am Post subject: |
|
|
Newbie
Joined: 02 Dec 2010
Posts: 5
|
| when i build my asp.net site,I'am also used MCAUsers and set corresponding property for server connection channel (mcauserid) on my test server.In my database i am save users name and password;and when my listener connecting to quque manager,it pass saved earlier user name and pas in hastable class with mq api param user and pass(it's showing in listing).all works fine on test machine without kerberos security.but customer prefer kerberos..i'am also think that users in "object authority" are local-but not find them in locals users of machine. But thank you for advice) will search in forums))and think,think and think)))) |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Dec 03, 2010 1:31 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I think this goes beyond the MCAUserID and hits SSL as well.
If your sites are doing SSL with Kerberos, than yes you will also have to pass the right encryption and kerberos token. But then I'd expect you to have to use a client channel table. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| maslen1986 |
| Posted: Sun Dec 05, 2010 10:05 pm Post subject: |
|
|
Newbie
Joined: 02 Dec 2010
Posts: 5
|
Hi ))) I'am think, that I'am solved my problem )))
What I have:
Queue manager with object authorities set to some user. And customer give me password and name of this user. User is in Active Directory. My site use Windows authentication and many users must have access to WebSphere to put messages to queue. Grant access to all users is not good idea,as you know. So, I decided to use code, listed below:
| Code: |
//logon user
public static bool LOGONUSER(string principal, string domainName, string password, ref WindowsImpersonationContext impersonatedUser)
{try
{
IntPtr token = IntPtr.Zero;
impersonatedUser = null;
bool result = LogonUser(principal, domainName, password,
LogonSessionType.Interactive,
LogonProvider.Default,
out token);
if (result)
{
WindowsIdentity id = new WindowsIdentity(token);
impersonatedUser = id.Impersonate();
return true;
}
else { return false; }
} catch(Exception exp)
{
return false;
}
}
//back users indentities
public static bool UserIndentityBack(ref WindowsImpersonationContext impersonatedUser)
{
try
{
impersonatedUser.Undo();
return true;
}
catch (Exception exp)
{
return false;
}
}
// Declare signatures for Win32 LogonUser and CloseHandle APIs
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool LogonUser(
string principal,
string authority,
string password,
LogonSessionType logonType,
LogonProvider logonProvider,
out IntPtr token);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool CloseHandle(IntPtr handle);
enum LogonSessionType : uint
{
Interactive = 2,
Network,
Batch,
Service,
NetworkCleartext = 8,
NewCredentials
}
enum LogonProvider : uint
{
Default = 0, // default for platform (use this!)
WinNT35, // sends smoke signals to authority
WinNT40, // uses NTLM
WinNT50 // negotiates Kerb or NTLM
}
|
When some user (that not have access to queue manager) come to site and want to put message in queue, I'am do that:
| Code: |
Hashtable properties = new Hashtable();
properties.Add(MQC.HOST_NAME_PROPERTY, connectionName);
properties.Add(MQC.PORT_PROPERTY, int.Parse(port));
properties.Add(MQC.CHANNEL_PROPERTY, channelName);
properties.Add(MQC.TRANSPORT_PROPERTY, transportType);
properties.Add(MQC.SECURITY_EXIT_PROPERTY, KerberosString);
WindowsImpersonationContext impersonatedUser = null;
LOGONUSER("UserName", "UserDomain", "UserPass", ref impersonatedUser);
queueManager = new MQQueueManager(strQueueManagerName, properties);
strReturn = true;
UserIndentityBack(ref impersonatedUser);
|
What do you think about it ? It's bad idea ? |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
