| Author |
Message
|
| alechko |
 Posted: Sun Jun 19, 2011 12:53 am Post subject: Passing MQ client's SSL CN onto the message MQMD |
 |
|
Apprentice
Joined: 12 Jan 2005
Posts: 37
|
Hi,
We are trying to implement a complete authentication and authorization solution for ESB services based on WebSphere MQ, Message Broker and Datapower.
We have clients (QMGRs and MQ Clients) which connect to the MQ gateway QMGR which receives the services requests.
The channels are SSL secured (including SSL peer, MCAUSER and setmqaut to that user).
The messages are written to one of two local queues which the datapower polls.
We want the datapower to check each message if the client that sent the message is authorized to call such a service.
I've written a message exit which writes the CN from the SSLPEER into the message MQMD applid field.
Then the datapower can check if the client (identified by its SSL certificate) can invoke the service.
The problem is how can I do the same with a Server Connection channel?
There is no message exit. I'm not sure if I can do the same on a receive exit (even if i can I think it's not an elegant solution).
Any ideas?
Thanks!
_________________
Alik Hochner
EAI Consultant
Certified IBM Websphere MQ v6.0 System Administrator
Certified IBM Websphere Message Broker v6.1 System Administrator |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Sun Jun 19, 2011 3:36 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| I'd look at the API Crossing exit for MQGET. |
|
| Back to top |
|
|
| alechko |
| Posted: Sun Jun 19, 2011 4:45 am Post subject: |
|
|
Apprentice
Joined: 12 Jan 2005
Posts: 37
|
| mqjeff wrote: |
| I'd look at the API Crossing exit for MQGET. |
Thanks for the reply.
I don't see how that can help me.
Do you mean setting an exit upon Datapower's MQGET from the queue?
The message was already written, how can the exit know the DN of the client's certificate that wrote the message?
If I misunderstood your suggestion, please elaborate. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Jun 19, 2011 4:49 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| I've written a message exit which writes the CN from the SSLPEER into the message MQMD applid field. |
Bad design. The field size might not be big enough especially if you use more than just the CN to authenticate, and at some point you might get there.... The right thing to do would be to copy the whole Distinguished name into a message Property, (regular V7 or RFH2) and check that...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sun Jun 19, 2011 2:14 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| alechko wrote: |
| mqjeff wrote: |
| I'd look at the API Crossing exit for MQGET. |
Thanks for the reply.
I don't see how that can help me.
Do you mean setting an exit upon Datapower's MQGET from the queue?
The message was already written, how can the exit know the DN of the client's certificate that wrote the message?
If I misunderstood your suggestion, please elaborate. |
Okay. It wasn't clear where you were trying to apply the exit over a SVRCONN - on the side sending the message or on the side reading the message.
The API Crossing exit also applies to the MQPUT.
fjb_saper's comments about field lengths and best practices or bad practies also apply... This is not where you want to store this information. |
|
| Back to top |
|
|
| alechko |
| Posted: Mon Jun 20, 2011 10:09 pm Post subject: |
|
|
Apprentice
Joined: 12 Jan 2005
Posts: 37
|
| mqjeff wrote: |
Okay. It wasn't clear where you were trying to apply the exit over a SVRCONN - on the side sending the message or on the side reading the message.
The API Crossing exit also applies to the MQPUT.
fjb_saper's comments about field lengths and best practices or bad practies also apply... This is not where you want to store this information. |
I write only the Common Name from the DN of the certificate so I'm actually limited to 32 chars length CNs which is not a problem in our case.
Nevertheless, I agree with fjb_saper's suggestion and I will definitely check the name properties option.
Regarding implementing API Exit on the client's MQPUT, doesn't it contradicts the whole idea of centralized security?
A client can easily disable/change the exit and write messages with different service permissions.
I'd like to modify the messages once they are received at the gateway QMGR. Any other ideas?
Thanks again,
Alik |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jun 20, 2011 10:55 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| alechko wrote: |
| ...I'd like to modify the messages once they are received at the gateway QMGR. Any other ideas?... |
And doesn't this also contradict security and message integrity?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jun 21, 2011 1:44 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
|
|
