| Author |
Message
|
| xelir13 |
 Posted: Thu Jun 27, 2013 4:56 am Post subject: |
 |
|
Novice
Joined: 03 Feb 2013
Posts: 14
|
@hughson
Thanks for the advice. I was able to get the value of the MQSCP using the snippet below. The only problem I'm facing now is, Im getting Reason 2035. even though the Ldap authentication succeeded.
| Code: |
case MQXR_SEC_PARMS:
WriteLogFile( pLdapProperties,630, 'D', "ExitReason = MQXR_SEC_PARMS\n" );
memset (User, 0, sec_params->CSPUserIdLength + 1);
memset (Pass, 0, sec_params->CSPPasswordLength +1);
MakeCString(User,sec_params->CSPUserIdPtr,sec_params->CSPUserIdLength);
MakeCString(Pass,sec_params->CSPPasswordPtr,sec_params->CSPPasswordLength); |
|
|
| Back to top |
|
 |
| hughson |
| Posted: Thu Jun 27, 2013 5:08 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jun 27, 2013 3:02 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Why in the world would you re-invent the wheel when there is a cheap product that does authentication against an LDAP server? If you spent more than a day programming this, you instead could have purchased a license for MQ Authenticate Security Exit and done something else.
MQ only flows the password in plain text.
MQ uses 2 different styles of flowing the UserID and Password between a client and server: "old" and "new" style. Different platforms support different styles. Some support both directly and some support both indirectly and some platforms do a conversion and flow both at the same time (very weird!).
It is fine if all of your applications can be rebuilt to use MQCONNX by what if the application cannot be rebuilt? Or the application team does not want to do it or the source code is lost. What about 3rd party applications that do not support MQCONNX? What are you going to do?
What about MQ JNDI or CCDT (Client Channel Table Definitions) or the new "MQClient.ini" file? Have you thought about how you are going to handle these implementations?
You are going to easily spend 6 months (i.e. 1000 hours) building a working prototype that covers some of the issues I have highlighted. You are in for a world of hurt. I know, I've been there done that.
| xelir13 wrote: |
| The only problem I'm facing now is, Im getting Reason 2035. even though the Ldap authentication succeeded. |
 Now you are failing on authorization. The MQ OAM checks the UserID against the native OS (operating system) which of course, does not have the LDAP UserID!!!
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu Jun 27, 2013 3:19 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
I strongly support Roger's comments. I wrote a MQ channel authenticating security exit for a large company that ran on z/OS, Solaris, HP-UX and Windows before Capitalware's was available and it was a very time consuming and painful exercise, although I did learn a lot about MQ channel processing and MQ exit design and programming. 
A secure solution will flow the userid and password over the channel in encrypted format, which requires a partner security exit on the client application side that does secure key exchange for encrypting the credentials. Otherwise you will implement an insecure solution that is easily spoofed by a determined hacker (including people in your organization).
_________________
Glenn |
|
| Back to top |
|
|
| xelir13 |
| Posted: Thu Jun 27, 2013 6:07 pm Post subject: |
|
|
Novice
Joined: 03 Feb 2013
Posts: 14
|
| Is there a way to code in C, to pass Username and Password even in plain text like what MQ Explorer does. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jun 27, 2013 7:29 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Security forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jun 27, 2013 8:10 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| xelir13 wrote: |
| Is there a way to code in C, to pass Username and Password even in plain text like what MQ Explorer does. |
Pass username and password in plain-text to what?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| xelir13 |
| Posted: Thu Jun 27, 2013 8:20 pm Post subject: |
|
|
Novice
Joined: 03 Feb 2013
Posts: 14
|
From Client to MQ. I need it to be catch by a security exit.
Currently I was able to get the userID and Password from MQCSP.
Now Im looking for a way for C client to pass userID/Pass to be catch by LongRemoteUserIdPtr and RemotePassword.
Is there a way to do this? |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Jul 02, 2013 2:55 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| xelir13 wrote: |
From Client to MQ. I need it to be catch by a security exit.
Currently I was able to get the userID and Password from MQCSP.
Now Im looking for a way for C client to pass userID/Pass to be catch by LongRemoteUserIdPtr and RemotePassword.
Is there a way to do this? |
Why do you need a second way of doing this if you have already got the MQCSP way to work?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jul 02, 2013 7:01 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| xelir13 wrote: |
| Is there a way to code in C, to pass Username and Password even in plain text like what MQ Explorer does. |
Erm, isn't that somewhat at odds with what you want to do? At best that is giving just a veneer of security - it might fool your management but it won;t fool anyone technical.
I endorse and reiterate what both RogerLacroix and gbaddeley have stated - convinve your management to buy a COTS solution.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
