| Author |
Message
|
| sfari |
 Posted: Mon Jun 07, 2004 6:03 am Post subject: Windows MQ Explorer and SSL |
 |
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
Hi
Is it possible to force Windows MQ Explorer to make a secure connection using the MQ 5.3 SSL feature. It is clear to me what I need to do on the SYSTEM.ADMIN.SVRCONN channel, but I have no idea how to achive that MQ Explorer makes SSL. I haven't found a place where things like keystore, cipher, ... can be specified.
Thanks,
Silvano |
|
| Back to top |
|
 |
| JasonE |
| Posted: Mon Jun 07, 2004 8:16 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| As far as I am aware, its not possible to make explorer communicate with SSL, sorry... |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Mon Jun 07, 2004 11:31 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| JasonE wrote: |
| As far as I am aware |
your "awareness" matches reality 
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| JasonE |
| Posted: Tue Jun 08, 2004 1:03 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
That sounded like a challenge.... 
I've managed to get SSL encrypted explorer working using nothing but product externals. It's not 'nice' but it works well! The only proviso I ought to state is that this may not be the 'appropriate' use of a security exit and it is not guaranteed to work in future releases.
On the server to be administered
1.Define a channel on the machine to administer
DEF CHL(SSL.ADMIN.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(TRIPLE_DES_SHA_US) SSLCAUTH(optional)
Note: SSLCAUTH(REQUIRED) is possible but you need to ensure the client machine has an assigned certificaate
2. Ensure there is an assigned SSL certificate
Windows: You assign it via the Manage SSL Certificates
Unix: You give a special format friendly name
On the machine to administer from
1. Compile the following sample code as per the info in the header producing an allowSSLconns.dll
2. Put the DLL produced on the client machine in eg. C:\MYDIR as AllowSSLConns.dll
3. Run explorer and on the properties of "Websphere MQ" enter something like "C:\MYDIR\AllowSSLConns(SecurityExit)" in the security exit name field. Save the console
4. Set the following env var globally and reboot set MQSSLKEYR=c:\MYDIR\keyr
5. Set up a keystore for the client including the root CA and intermediate CA's of the certificiate assigned to the server
Note: Here, if you use SSLCAUTH(REQUIRED) then you can also assign a certificate to be used for the client, and ensure the server QM has the appropriate root and intermediate CA's in its QM keystore
6.Run the console saved earlier, and add a remote QM - The security exit should get invoked and change the channel to SSL.ADMIN.SVRCONN with a cipherspec
Sample exit code
You should be able to modify this to change the cipher spec, perhaps only invoke for certain QM names, add CRL or put the keystore into an MQSCO structure etc...
| Code: |
/**********************************************************************/
/* */
/* Compilation: */
/* The following commands can be used to compile the example */
/* exit on a variety of platforms. */
/* */
/* Windows NT (Visual C): */
/* ********************** */
/* set MQBASEDIR=C:\Program Files\IBM\WebSphere MQ */
/* cl allowSSLconns.c "%MQBASEDIR%\tools\lib\mqmvx.lib" */
/* wsock32.lib /I "%MQBASEDIR%\tools\c\include" /MD /LD */
/* */
/* */
/**********************************************************************/
#include
#include
#include
__declspec( dllexport ) void MQENTRY Start(){;}
__declspec( dllexport ) void MQENTRY SecurityExit(
PMQVOID pChannelExitParms,
PMQVOID pChannelDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQVOID pAgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr)
{
/* Cast pointers to access individual fields */
PMQCXP pParms = (PMQCXP)pChannelExitParms;
PMQCD pChDef = (PMQCD)pChannelDefinition;
/* Check we are being called as a security exit */
if (pParms->ExitId==MQXT_CHANNEL_SEC_EXIT) {
/* Switch to the appropriate function */
switch ( pParms->ExitReason )
{
case MQXR_INIT:
if (strncmp(pChDef->ChannelName, "SYSTEM.ADMIN.SVRCONN",20) == 0) {
/* Convert to SSL */
strncpy(pChDef->ChannelName, "SSL.ADMIN.SVRCONN ",20);
strncpy(pChDef->SSLCipherSpec, "TRIPLE_DES_SHA_US ",20);
pParms->ExitResponse= MQXCC_SUPPRESS_EXIT;
}
}
}
} |
I make no guarantee that this will work or continue working! |
|
| Back to top |
|
|
| jed |
| Posted: Tue Jun 08, 2004 11:26 pm Post subject: |
|
|
Centurion
Joined: 08 Jan 2004
Posts: 118
Location: MI, USA
|
Wow, this is what we get whenever JasonE is challenged.
MichaelDag, thanks for giving us an idea on how to get more info on MQ from JasonE....... 
_________________
Jed |
|
| Back to top |
|
|
| sfari |
| Posted: Wed Jun 09, 2004 7:01 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
Great stuff!
I will think about this solution. We are forced to close all our insecure channels and this would provide a reasonable workaround to be still able to use MQ Explorer.
Lets hope that future releases of MQ Explorer will support SSL!
Thanks
Silvano |
|
| Back to top |
|
|
| sfari |
| Posted: Thu Jun 10, 2004 1:30 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
It should also be possible to remain on the channel SYSTEM.ADMIN.SVRCONN, right? Means to define the channel on the QM with the CipherSpec and then change the client channel part in the exit to use the same Chipher as well?
Other Question in your sample case is the Channel definition SYSTEM.ADMIN.SVRCONN on the QM still needed? |
|
| Back to top |
|
|
| JasonE |
| Posted: Thu Jun 10, 2004 2:06 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Yes, and Yes (although I think you meant SSL.ADMIN.SVRCONN)...
ie Yes, you could use the security exit to just put SSL attributes and not change the cannel name
and Yes, if you did this you dont need the SSL.ADMIN.SVRCONN
I did it that way simply for testing purposes... |
|
| Back to top |
|
|
| Tibor |
| Posted: Mon Sep 20, 2004 4:02 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
Jason,
After compiling and setting your code firstly I found it very nice, but... when I want to connect to the second qmgr I get an error (AMQ4048) and an FDC file, with this info:
| Quote: |
000039E4 13:28:23.040042 568.51 -------}! DoConnect (rc=MQRC_SSL_ALREADY_INITIALIZED)
000039E5 13:28:23.040054 568.51 ------}! trmzstMQCONNX (rc=MQRC_SSL_ALREADY_INITIALIZED)
000039E6 13:28:23.040065 568.51 -----}! MQCONNX (rc=MQRC_SSL_ALREADY_INITIALIZED)
000039E7 13:28:23.040089 568.51 -----{ xcsFFST
|
What's wrong? When I'm trying this exit with mqmon (MO71) same problem doesn't occur. If you need I can send a trace file about it (2MB  )
Tibor |
|
| Back to top |
|
|
| JasonE |
| Posted: Mon Sep 20, 2004 8:36 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Hmmm - I only tried it with one qmgr!!
I'm on education this week, back again next week. I'll try to give it a go then, but remind me if I havent replied in a couple of weeks |
|
| Back to top |
|
|
| Tibor |
| Posted: Mon Sep 27, 2004 3:51 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
Jason,
Can you tell me any news about security exit?
Tibor |
|
| Back to top |
|
|
| JasonE |
| Posted: Mon Sep 27, 2004 7:45 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Hmmm - It would appear that a multithreaded client program accessing via SSL gets an warning on the 2nd thread, and the explorer treats any non-OK return code as a fatal error....
Looks like you will have to live with the restriction! |
|
| Back to top |
|
|
|
|
