| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Security EXIT |
« View previous topic :: View next topic » |
| Author |
Message
|
| suri |
 Posted: Fri Jul 30, 2004 8:10 am Post subject: Security EXIT |
 |
|
Apprentice
Joined: 16 May 2004
Posts: 39
Location: NewYork
|
Hi all,
Can any one please, tell me how to set up Security exit. I have client and a server. To a queue with name AAA, I want only one client to access this queue with only get option. no one else should access it. It's a thin client.
1. Is that i have to use Security Exit on Server connection channel.
2. can we write Security exits using java or we have to go through dll's using C.
Please, help me.
Thanks,
Suri |
|
| Back to top |
|
 |
| oz1ccg |
| Posted: Sun Aug 01, 2004 5:34 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
You use the setmqauth ,,,,,, to give the particular user access. If your environment(network) is trusted or useing SSL.
setmqaut -m QMname -t queue -n QName -p userID +get
If the environmet is not safe.. you might need a security exit if oyu don't use SSL.
I did an exit (BlockIP), you can look/download here:http://www.mrmq.dk/BlockIP.htm
By the way did you try the search option here on MQSeries.net ??
Did you look in WebSphere ® MQ Security (SC34-6079-00) ???
Just my $0.02 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| suri |
| Posted: Tue Aug 03, 2004 7:53 am Post subject: Security EXIT Help me |
|
|
Apprentice
Joined: 16 May 2004
Posts: 39
Location: NewYork
|
Hi
I am trying to implement Security exits using the BlockIP package, but I was unable to see the results. I think I am doing some mistake in configuring the system.
This is what I did, If I am wrong please correct me. I have copied the BlockID.dll in the c:\Program files\IBM\WMQ\EXITS and I have given this path in the security exit name of SYSTEM.DEF.SVRCONN channel because my client is using this channel to communicate with the server. In the Security EXIT DATA, I am giving the path of BlockIP2.txt because this contains the information like permissions. And i gave MCA User ID as my system Login ID. It's giving me errors. Please, Help me what to do.
I appreciate you kindlly, help.
Thanks,
Suri |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Wed Aug 04, 2004 1:17 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Hi Suri,
Please show SCYDATA() and SCYEXIT() on your channel.
There are placed a file: BlockIP2.txt in c:\ which tells you what happend.
example of SCYDATA could be:
SCYDATA('FN=c:\BlockIP2.txt';-d;')
SCYDATA() and SCYEXIT() is limited to 32 bytes on the distributed platforms. What you could do is just specify:
| Code: |
| SCYEXIT('BlockIP2(BlockExit)') |
when c:\Program files\IBM\WMQ\EXITS is WebSphere MQ default exit path.
If you specify SCYEXIT('c:\Program files\IBM\WMQ\EXITS\BlockIP2(BlockExit)') it's 50 bytes long, it's way too long 
Just my $0.02
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT.
Last edited by oz1ccg on Wed Aug 04, 2004 3:47 pm; edited 1 time in total |
|
| Back to top |
|
|
| suri |
| Posted: Wed Aug 04, 2004 3:25 pm Post subject: |
|
|
Apprentice
Joined: 16 May 2004
Posts: 39
Location: NewYork
|
Hi Pedersen,
First of all let me thank you for all your time and help.
still,I am not able to configure the Security Exit on my server.I have created a server connection
channel using which client is going to connect and get messages. every thing is on windows.
In Server connection channel properties, at security Exit Name :BlockIP2(BlockExit) and
security Exit Data: c:\mq\BlockIP2.txt
In the BlockIP2.txt the content is
==========BlockIP2.txt=========
Patterns = 10.10.199.46;Â Â
Userids = samid;Â
BlockMqmUsers = Y;
===============================
when i am trying to run a getMessage program from the client I get the following Errors
C:\>java mqGetMessage CONNEC.QUEUE TEST
Queue name CONNECTOR.IN
Queue manager name TEST
SERV1 ---------- TEST.SERVER.CHANNEL ----------- 1414
MQJE001: An MQException occurred: Completion Code 2, Reason 2063
MQJE027: Queue manager security exit rejected connection with error code 23
MQJE001: An MQException occurred: Completion Code 2, Reason 2063
MQJE027: Queue manager security exit rejected connection with error code 23
Error in queue manager connect....
QMGR Name : TEST
CC : 2
RC : 2063
java.lang.NullPointerException
at mqGetMessage.mqOpen(mqGetMessage.java:139)
at mqGetMessage.getConnected(mqGetMessage.java:72)
at mqGetMessage.init(mqGetMessage.java:46)
at mqGetMessage.main(mqGetMessage.java:31)
Is there any problem with my client program or is there any changes i need to do.
with out the security EXIT the program works well.
Please, help me
Thanks,
Suri |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Wed Aug 04, 2004 3:46 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Once again...
There is bad syntaks on you SCYDATA 
it's SCYDATA('FN=c:\mq\BlockIP2.txt;')
The FN= and ; is mandatory.
Please tell us what's logged in c:\BlockIP2.log ???
Is there any clues in the event viewer ??
This is the two places to find evidence why someting went wrong.
(In addition there is the FDC/error files on MQ to help, but more than 90% of the problems can be solved using BlockIP2.log and event viewer.
BlockIP2 will log informations about the refused connection.
I think you should remove the blanks before and after "=" so the specs looks like this:
==========BlockIP2.txt=========
Patterns=10.10.199.46;
Userids=samid;
BlockMqmUsers=Y;
===============================
I hope this helps you.
There are a bit of information about debugging and how to use/configure the exit here on my BlockIP page:
http://www.mrmq.dk/BlockIP.htm
Just my $0.02
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| suri |
| Posted: Thu Aug 12, 2004 8:30 am Post subject: |
|
|
Apprentice
Joined: 16 May 2004
Posts: 39
Location: NewYork
|
Hi Jørgen Pedersen
Please, Help me one more time. I am able to Work fine with the Security Exit's but there are few problems. When i am Using BlockIP2.dll and BlockIP2.txt in the Serverconnection channel.
Below is the Java Program I am using on the client side to get a message from a Queue.
1. When I don't use the MQEnvironment.userID = userID; in my program,, I am able to get a message But the security Exit checks only for the IP Address and it works fine.
2. When i am using MQEnvironment.userID = userID; I am able to pass through the security check
But the following error occurs.(MQJE036: Queue manager rejected connection attempt)
How the Remote QMGR will understand the Client UserID.
I was reading Intercommunication, and Using JAVA but I really didn't understand well.
I think I can’t do setmqaut, because the user is a thin client and in server he is not recognized. But I need the security exit to check for UserID, and IP Address.
C:\Java_samples>java ExitGetMessage TestQueue TestQMGR
Queue name TestQueue
Queue manager name TestQMGR
10.10.205.111 --- CHANNEL.SERVER.EXIT --- 1455----suri
MQJE001: An MQException occurred: Completion Code 2, Reason 2035
MQJE036: Queue manager rejected connection attempt
MQJE001: An MQException occurred: Completion Code 2, Reason 2035
MQJE036: Queue manager rejected connection attempt
Error in queue manager connect....
QMGR Name : TestQMGR
CC : 2
RC : 2035
java.lang.NullPointerException
at ExitGetMessage.mqOpen(ExitGetMessage.java:143)
at ExitGetMessage.getConnected(ExitGetMessage.java:75)
at ExitGetMessage.init(ExitGetMessage.java:47)
at ExitGetMessage.main(ExitGetMessage.java:32)
Java Program
import com.ibm.mq.*;
import java.util.*;
import java.io.*;
public class ExitGetMessage {
private MQQueueManager mqQueueManager; // for QMGR object
private MQQueue queue; // for Queue object
private int openOptionInquire; // Open options
private String hostName; // for host name -> QMGR
private String channel; // server connection channel
private String port; // port number on which the QMGR is running
private String qmgrName;
private String qName;
private String userID;
public static void main(String arg[])
{
try{
if ( arg.length == 0)
{
System.out.print("Please enter the argument in the order of \n" );
System.out.print("Queue name Queue manager name");
System.exit(1);
}
ExitGetMessage MQGet = new ExitGetMessage();
System.out.println("Queue name " + arg[0]);
System.out.println("Queue manager name " + arg[1]);
MQGet.init(arg[0], arg[1]);
}
catch( Exception e)
{
e.printStackTrace();
}
}
public void init(String queueName, String QMGRName)
{
try{
this.mqInit(queueName, QMGRName);
this.getConnected();
}
catch( Exception e)
{
e.printStackTrace();
}
}
private void mqInit(String queueName, String QMGRName)
{ // Initiation of the MQ parameter
hostName = "10.10.205.111 ";
port = "1455";
qmgrName = QMGRName;
channel = "CHANNEL.SERVER.EXIT ";
qName = queueName;
userID ="suri";
}
public void getConnected() throws Exception
{ // gets connected to the Queue & checks the queue depth high event & if the event is set,
// it start the broker & send mails
try
{
mqConnect();
mqOpen();
//chexQType();
mqClose();
mqDisconnect();
}
catch (Exception exp)
{
exp.printStackTrace();
}
} //getConnected ends here
private void mqConnect() throws Exception
{ // Connection to the queue manager
try
{
MQEnvironment.hostname = hostName;
MQEnvironment.channel = channel;
MQEnvironment.port = Integer.parseInt(port);
//MQEnvironment.userID = userID;
//MQEnvironment.properties.put(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES);
System.out.println( hostName + " --- " + channel + " --- " + port + "----" + userID);
mqQueueManager = new MQQueueManager(qmgrName);
System.out.println("Qmgr : " + qmgrName + " connection successfull ");
}
catch ( MQException mqExp)
{
System.out.println("Error in queue manager connect....");
System.out.println("QMGR Name : " + qmgrName);
System.out.println("CC : " + mqExp.completionCode );
System.out.println("RC : " + mqExp.reasonCode);
}
}
private void mqDisconnect() throws Exception
{ // disconnect to queue manager
try
{
mqQueueManager.disconnect();
System.out.println("Qmgr : " + qmgrName + " disconnect successfull ");
}
catch ( MQException mqExp)
{
System.out.println("Error in queue manager disconnect....");
System.out.println("QMGR Name : " + qmgrName);
System.out.println("CC : " + mqExp.completionCode );
System.out.println("RC : " + mqExp.reasonCode);
}
} // end of mqDisconnect
private void mqOpen() throws MQException
{
try
{
int openOption = 0;
openOption = MQC.MQOO_INPUT_SHARED;
queue = mqQueueManager.accessQueue(qName, openOption); //,"qmgrName","dynamicQName","userID");
System.out.println( "Open queue sucessfull... ");
MQGetMessageOptions getMessageOptions = new MQGetMessageOptions(); // Set get message options
getMessageOptions.options = MQC.MQGMO_WAIT + MQC.MQGMO_FAIL_IF_QUIESCING + MQC.MQGMO_CONVERT;
getMessageOptions.waitInterval = MQC.MQWI_UNLIMITED;
// waits unlimited
//while(true)
//{
MQMessage message = new MQMessage();
BufferedWriter writer ;
try
{
System.out.println( "waiting for message ... ");
queue.get(message, getMessageOptions);
System.out.println( "Get message sucessfull... ");
byte[] b = new byte[message.getMessageLength()];
message.readFully(b);
System.out.println(new String(b));
message.clearMessage();
writer = new BufferedWriter(new FileWriter("GetMessage.out", true));
writer.write(new String(b));
writer.close();
}
catch (IOException e)
{
System.out.println("IOException during GET: " + e.getMessage());
//break;
}
//} // while ends here
}
catch ( MQException mqExp)
{
System.out.println("Error in opening queue ....");
System.out.println("Queue Name : " + qName);
System.out.println("CC : " + mqExp.completionCode );
System.out.println("RC : " + mqExp.reasonCode);
}
} //end of mqOpen
private void mqClose() throws MQException
{
try
{
queue.close();
System.out.println("Close queue successfull.....");
}
catch (MQException mqExp)
{
System.out.println("Error in closing queue ....");
System.out.println("Queue Name : " + qName);
System.out.println("CC : " + mqExp.completionCode );
System.out.println("RC : " + mqExp.reasonCode);
}
} // end of mqClose
}
I have visited your web site. But not able to find out which two sets of programs I have to use.
Thanks for you time,
Suri |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Thu Aug 12, 2004 8:51 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
suri, try to run BlockIP2 with option debug:
SCYDATA('FN=c:\mq\BlockIP2.txt;-d;')
Is userid="suri" allowed to access the queue ??
try dspmqaut -m QMname -t queue -n QName -p userID
I don't think there are problems with your program 
The problems might lay in the nighbourhood of security....
Just my $0.02
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| suri |
| Posted: Thu Aug 12, 2004 9:51 am Post subject: |
|
|
Apprentice
Joined: 16 May 2004
Posts: 39
Location: NewYork
|
Hi Jørgen Pedersen
Thanks for the quick response.
Is that i have to configure the server side WMQ so that it can understands the client with the UserID.
C:\>dspmqaut -m TestQMGR -t queue -n TestQeueu -p suri
AMQ7026: A principal or group name was invalid.
This is right, because The UserID suri is not there in The server system. suri is the userID
at the client which is on 10.10.199.11 and the server is 10.10.205.111
Below is the error recorded at the Queue Manager --> error
I have tryed by giving the MCA Usre ID: suri, in the server connection channel. Still it didn't
work.
I have added -d, How can i debug it. SCYDATA('FN=c:\mq\BlockIP2.txt;-d;')
8/12/2004 13:18:43
AMQ9245: Unable to obtain account details for channel MCA user ID.
EXPLANATION:
WebSphere MQ was unable to obtain the account details for MCA user ID 'suri'.
This user ID was the MCA user ID for channel 'CHANNEL.SERVER.EXIT' on queue
manager 'TestQMGR' and may have been defined in the channel definition, or
supplied either by a channel exit or by a client.
ACTION:
Ensure that the user ID is correct and that it is defined on the Windows local
system, the local domain or on a trusted domain. For a domain user ID, ensure
that all necessary domain controllers are available.
----- amqrsrva.c : 702 --------------------------------------------------------
8/12/2004 13:18:43
AMQ8075: Authorization failed because the SID for entity 'SURI' cannot be
obtained.
EXPLANATION:
The Object Authority Manager was unable to obtain a SID for the specified
entity.
ACTION:
Ensure that the entity is valid, and that all necessary domain controllers are
available.
----- amqzfubn.c : 1945 -------------------------------------------------------
Thanks alot,
suri |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Thu Aug 12, 2004 1:44 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
The reason for debugging using BlockIP2 is the fact that it logs detailed i a file named c:\BlockIP2.log
You could see and entry like:
| Code: |
04.02.15 09:09:57 BlockIP2: BlockExit QMgr="QSJHPT01" ChannelName="CHANNEL2" ConnectionName="127.0.0.1" Userid="root"
04.02.15 09:09:57 BlockIP2: BlockExit Connection refused, user don't match positive list xxx,yyy,zzz*,etc,mrmq,us???mq . |
Where I can see it's the "root" user that is causing problems.... Neat
Now you should be able to see which userid the java-application is using when it connects to the server. As I recall it, it uses a blank userid if you dont specify anything, and the request will be executed under the server account, and therefore be valid.
The reason for using BlockIP2 (or another) is to block for certain users, that will are known to MQ...
The userid you're accessing the queues with using either using MCA, BlockIP2 or java application, need to have access.
You can use BlockIP2 to change the incomming userid="suri" to "mqm" or another server userid, to gain access to your data.
Just add in you :
CON=10.10.199.11;suri;MCA=mqm;
I have to emphezise that setting the MCAUSER to "mqm" can cause security risks....
I did a small sample on using CON=
| Code: |
#
# Simple filter implemented in BlockIP2 version 1.22
#
# 1. stop all connection attempts from mqm (NoBody is an undefined or blocked userid).
CON=*;mqm;MCA=NoBody;
#
# 2. Stop users starting with ww14 from 10.31.* Might be a foregin network
CON=10.31.*;ww14*;MCA=NoBody;
#
# 3. Allow master03 when comming from 172.20.10.31
CON=172.20.10.31;master03;
#
# 4. Allow spider when comming from 10.*, and set MCAUSER to master04
CON=10.*;spider;MCA=master04;
#
# 5. Block all other attempts.
CON=*;*;MCA=NoBody; |
Just my $0.02
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Aug 12, 2004 3:10 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| //MQEnvironment.userID = userID; |
It looks like in your java code you commented out the place where the userid was set.
This worked fine before because the userid was not checked.
Now the exit is checking the userid and you are SOL.
In Java client, if you supply the userid the qmgr will check against its authorizations.
If you do not supply the userid, the default authorizations of the user running running the listener will be awarded. I know it's a security hole but it's the way mq is designed....
So you could access before because you did not supply the userid.
Now that you have to, make sure the userid supplied has the authority needed by setting it with setmqaut...
Enjoy |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
