| Author |
Message
|
| volox |
 Posted: Fri Jan 14, 2011 1:36 pm Post subject: Help with SSPI security |
 |
|
Newbie
Joined: 14 Jan 2011
Posts: 7
|
Can anyone assist with the SSPI security exit. I've applied it to the security exit of one of the channels in NTLM mode. amqrspin(SCY_NTLM)
It seems to properly reject a connection from an invalid user (user from a different domain) but it doesn't accept connections from a user that ought to be authorized (is in the mqm group). The MQ explorer on the remote client just hangs trying to establish the connection and there are no error logs on the server side indicating any problem. What is it I'm missing?
I apologize in advance if this is a newbie question but I've dug around in the help and online and there just doesn't seem to be much information available on the SSPI security exit or how to actually set it up to work properly. I'm just trying to secure the installation so it isn't hanging wide open.
And while I'm asking, do you guys typically tend to remove the SERVER.DEF.* and SERVER.AUTO.* channels in order to secure the QMGR or do you leave them and add SSL and security exits to them?
Running WebSphere v7.0.1.3
On Windows 2008 R2 x64 |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Fri Jan 14, 2011 3:09 pm Post subject: Re: Help with SSPI security |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| volox wrote: |
And while I'm asking, do you guys typically tend to remove the SERVER.DEF.* and SERVER.AUTO.* channels in order to secure the QMGR or do you leave them and add SSL and security exits to them?
|
Leave them, but disable them. Put a bogus ID in the MCAUSER, set the Max Message length to 1 and/or put a bogus security exit value in the definition.
If MQ Clients need to connect to your QM, give each app / user their own SVRCONN channel protected with SSL or a Security Exit, and tagged with an MCAUSER ID that only access to what you specifically grant for that ID's primary group. The SSL / Exit will control who can connect, the MCAUSER ID will control what they can do once connected.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| volox |
| Posted: Tue Jan 18, 2011 12:55 pm Post subject: |
|
|
Newbie
Joined: 14 Jan 2011
Posts: 7
|
Thanks Peter. That's helpful info.
Any experience with getting the SSPI security exit on Windows to work? |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Jan 18, 2011 4:50 pm Post subject: Re: Help with SSPI security |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| volox wrote: |
| Can anyone assist with the SSPI security exit. I've applied it to the security exit of one of the channels in NTLM mode. amqrspin(SCY_NTLM) |
Maybe that Windows server does not have NTLM installed or activated.
| volox wrote: |
| It seems to properly reject a connection from an invalid user (user from a different domain) but it doesn't accept connections from a user that ought to be authorized (is in the mqm group). |
Are you sure it is correctly rejecting the connection or rejecting the use of NTLM?
| volox wrote: |
| The MQ explorer on the remote client just hangs trying to establish the connection and there are no error logs on the server side indicating any problem. What is it I'm missing? |
That sounds like one of the bugs that I reported to IBM. There are lots of security related bugs in WMQ v7.
| volox wrote: |
| And while I'm asking, do you guys typically tend to remove the SERVER.DEF.* and SERVER.AUTO.* channels in order to secure the QMGR or do you leave them and add SSL and security exits to them? |
Properly secure them with a security solution.
If you want a 3rd party security solution that works and is fully supported then have a look at: MQ Authenticate User Security Exit
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| volox |
| Posted: Wed Jan 19, 2011 4:24 pm Post subject: |
|
|
Newbie
Joined: 14 Jan 2011
Posts: 7
|
Ok, got it to work... sort of...
When registering the connection to the remote queue manager within MQ Explorer I was selecting the security exit and using "amqrspin(SCY_NTLM)". I thought that since this was NTLM that my client side would use my current user context but it turns out I have to go to the subsequent page and click 'Enable User Identification' and enter my domain\User username - then it works and connects successfully.
So why doesn't the NTLM security exit pick up the user name from the context of the existing user? Or is it supposed to do that and it just isn't working properly? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 19, 2011 9:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| volox wrote: |
Ok, got it to work... sort of...
When registering the connection to the remote queue manager within MQ Explorer I was selecting the security exit and using "amqrspin(SCY_NTLM)". I thought that since this was NTLM that my client side would use my current user context but it turns out I have to go to the subsequent page and click 'Enable User Identification' and enter my domain\User username - then it works and connects successfully.
So why doesn't the NTLM security exit pick up the user name from the context of the existing user? Or is it supposed to do that and it just isn't working properly? |
AFAIK MQ Explorer uses a pure Java MQ Client and as such does not have the same ties to the system OS identification as .NET or a c client. This is why you have to supply this information.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| volox |
| Posted: Thu Jan 20, 2011 12:42 am Post subject: |
|
|
Newbie
Joined: 14 Jan 2011
Posts: 7
|
So when you specify the SSPI security exit name in the MQ Explorer with the location that has the C DLL in it, what is it picking up and using? Because if it is using / bridging over to the C / COM version, then I would expect it to have the ability to get the user context... Just trying to understand what's going on here.  |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 20, 2011 4:21 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
This is really PMR territory.
The MQExplorer does pick up user context, despite the fact that it's written in Java, because it has native libraries in it. Part of the reason it's only supported on Windows and Linux and not all Unixes... |
|
| Back to top |
|
|
|
|
