| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| DataPower to MQ - No Security Exits, MQ CCDT or MQclient.ini |
« View previous topic :: View next topic » |
| Author |
Message
|
| PeterPotkay |
 Posted: Wed Aug 14, 2013 3:53 am Post subject: DataPower to MQ - No Security Exits, MQ CCDT or MQclient.ini |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Looking at the latest Infocenter for DataPower, version 6 of the Firmware, there doesn’t appear to be anyway to specify a client side security exit. Is SSL the only way to establish an authenticated connection from DP to MQ?
I also don’t see any way of using an MQ Client Channel Table, or an mqclient.ini file.
Do the DataPower creators consciously choose not to allow for exits, channel tables and client ini files, or is this a gap that might be remediated with a Request For Enhancement? Before I take the time to write one up I wanted to check here if it even made sense. In a conversation I had with my computer screen I made the argument that maybe this is by design because exits, tables and ini files all require something to be placed (‘installed’ in the case of the exit) on the appliance which is a no-no. But stylesheets and SSL Certs are allowed to be placed on the appliance, so why not other stuff?
DataPower Firmware 6 Infocenter:
http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m0/index.jsp
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Aug 14, 2013 4:23 am Post subject: Re: DataPower to MQ - No Security Exits, MQ CCDT or MQclient |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
Looking at the latest Infocenter for DataPower, version 6 of the Firmware, there doesn’t appear to be anyway to specify a client side security exit. Is SSL the only way to establish an authenticated connection from DP to MQ?
I also don’t see any way of using an MQ Client Channel Table, or an mqclient.ini file.
Do the DataPower creators consciously choose not to allow for exits, channel tables and client ini files, or is this a gap that might be remediated with a Request For Enhancement? Before I take the time to write one up I wanted to check here if it even made sense. In a conversation I had with my computer screen I made the argument that maybe this is by design because exits, tables and ini files all require something to be placed (‘installed’ in the case of the exit) on the appliance which is a no-no. But stylesheets and SSL Certs are allowed to be placed on the appliance, so why not other stuff?
DataPower Firmware 6 Infocenter:
http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m0/index.jsp |
I believe the current doctrine is to implement a channel table as a load balanced connection ? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 14, 2013 6:27 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
DataPower is an appliance, that's secure out of the box.
Allowing use of client-side exits would be allowing use of user-developed code, and would then open up a huge security hole.
It would also require publishing sufficient information about the hardware platform and OS behind the datapower box to allow someone to compile an exit that could actually run on DataPower.
Again, a security hole (at least in one sense).
A CCDT would be much easier to secure - as you say, it's not a lot different than a stylesheet or an SSL Cert. I can't comment on why it's not allowed, except perhaps that parsing it would require something that is outside the MQ client code currently being used by DP. (I don't know why that would be so, either.) |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
