| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| BlockIP2 and external Patterns file |
« View previous topic :: View next topic » |
| Author |
Message
|
| hguapluas |
 Posted: Fri Oct 15, 2004 7:55 am Post subject: BlockIP2 and external Patterns file |
 |
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
I am having problems getting BlockIP2 to recognize an external patterns file ex: alt chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) scydata('FN=c:\IBM\Exits\blockip2.txt') scyexit('BlockIP2(BlockExit)')
Below are the patterns in the blockip2.txt file I am using. Can anyone check them to see if I've defined anything wrong. Especially, the format for specifying the location of the log file as that is not getting generated either. Platform is Windows.
Patterns=10.10.4.2?,10.10.4.3?;
BlockUsers=10.10.4.1?;
LogFileName=Blocklog;
LogExt=txt;
LogFormat=NDC;
LogPath=\IBM\Exits\Log;
LogDrive=C;
Besides the SVRCONN channels, should this exit be applied to other channels (cluster receiver/sender, receiver, sender, etc). Goal is to block incoming IP traffic coming into the (cluster) queues.
Also, would you recommend applying this exit from MQ Explorer, MQSC commands, or both. I have noticed inconsistencies when trying to use both on a queue, specifically, the MQ Explorer does not always show the application of the exit on the channel even though the 'display channel ...' command does. And, sometimes the MQSC command does not show the results of applying the exit from MQ Explorer (MQ v5.3, CSD07). Is this inconsistency a possible bug?!?
Thanks. |
|
| Back to top |
|
 |
| oz1ccg |
| Posted: Sat Oct 16, 2004 7:53 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Hi,
I would startout without any "Log" stmts, and enable the "-d;" (debug option), where you know the exit will place it's log in c:\blockip2.log
Now you can startout and do experiments on the security.
I don't know if you have seen the manual: http://www.mrmq.dk/BlockIP2_manual.htm
About the security on cluster channels, you need to understand how these channels behave.. to be able to be shure it will work 
I guess syou would place the exit on the CLUSRCVR on the full repos qmgrs(FRQM), right ? And not copy the exit to the other qmgrs ?
If you do it in this way they will all fail.
Why will it happens in this way ? SImply because the Connecting Partial qmgrs(PQM) will receive the paramteres from the CLUSRCVR at the FRQM. Yes I know you specified the connection settings on the CLUSSDR, but these are only used until the PQM establish connection to FRQM and obtains the first package containing information about the cluster incl. information about the FRQM.
And if you mix different platforms you might need a Channel Auto Definition exit(CHAD) to change the secydata and scyexit specs.
Because windows look like this:
scydata('FN=c:\IBM\Exits\blockip2.txt') scyexit('BlockIP2(BlockExit)')
and UNIX/Linux like this:
scydata('FN=/IBM/Exits/blockip2.txt') scyexit('BlockIP2(BlockExit)')
and z/OS like this:
scydata('FN=DD:BLOCKIP') scyexit('BLOCKIP2')
You see the point now. 
Just my $0.02 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| hguapluas |
| Posted: Mon Oct 18, 2004 6:38 am Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
Hi Jorgen,
I think I found my problem with the BlockIP2 exit. I missed something that I didn't think would be needed. It seems that there is a critical ";" semi-colon that is needed in the MQSC command to get it working properly:
...scydata('FN=c:\ibm\exits\blockip2.txt;')...
Once I did this, everything started to work just fine including the log file. Manual did state that the ";" is needed at the end of each parameter line but I missed that and 'FN=...' is a parameter line that gets passed to the exit so it wasn't reading it correctly.
So far, with just applying it to the SVRCONN, it seems to be blocking all incoming traffic correctly. I will start testing it by adding it to the cluster receiver channels this week on the full repositories and work my way out to the other repositories to see what happens and what the behavior will be when things do fail. (Thankfully, I am only working on one platform throughout this MQ configuration!)
Thanks for your input  |
|
| Back to top |
|
|
| silentflute |
| Posted: Thu Jan 20, 2005 10:45 am Post subject: BlockIP2 and external Patterns file |
|
|
Apprentice
Joined: 14 Jul 2004
Posts: 32
|
Can the quiet mode option, -q, be added in the external patterns file? If so, how.
Also, can the SCYDATA parameter point to the external patterns file and include other parameters, such as:
scydata('FN=d:\blockspec.txt; -q')
Thanks! |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Fri Jan 21, 2005 1:48 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
About the BlockIP2.
You can specify some simple options in the SCYDATA parameter of the channel definition.
No the quiet mode option can't be specified in the parm file. There are one major reason to this: I find the -q and -d two great options. Anyhow I mihjt change it in the future, but the option specified in SCYDATA will allways have higher precedence than the options in the spec-file.
This will also require an non-quiet option, to disable an -q in the spec. file.... like -v. Who knows.
hguapluas wrote:
| Quote: |
| I will start testing it by adding it to the cluster receiver channels this week on the full repositories and work my way out to the other repositories to see what happens and what the behavior will be when things do fail. |
Please remeber the way WebSphere MQ clusters define cluster channes, all participating queuemanagers will require the security exit. or a Channel Auto definition exit.
I read the book (belive it or not) and extracted some small pieces herehttp://mrmq.dk/Cluster_security1.htm
Just my $0.02
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
