| Author |
Message
|
| Kaushal |
 Posted: Wed Jan 12, 2005 5:13 pm Post subject: writing a security exit for authentication |
 |
|
Newbie
Joined: 12 Jan 2005
Posts: 6
|
Hello All,
This is my first post to the board, as i have just joined the forum.
I am stuck up with a problem:
I am using WebSphere MQ 5.3 on Windows XP. I have a queue(say, TestQueue) which I want only to be acessed by authorized users. I am passing user credentials from my Client as createQueueConnection("username","password");
I have a security exit to do the authentication.
I get these in my security exit as channelDefinition.remoteUserId and channelDefinition.remotePassword.
Now I want these credentials to be compared with the members from the "mqm" group to do the authentication.
How do i do that ? I know in Z/OS you use RACF(I have never used RACF).....but for windows I do not know how to do it.
Any help is appreciated.
Kaushal |
|
| Back to top |
|
 |
| Michael Dag |
| Posted: Thu Jan 13, 2005 1:46 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
Kaushal,
are you using the MQ Client or are you using Java on the client side.
If you are using the first, then the user credentials are automatically passed and used by MQ on the server. All you need to do is add the users
to the server (not even necessary when working with a domain) and assign the proper authority on the server using the setmqaut commands.
I hope this helped
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Jan 13, 2005 5:29 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Your security exit... is it written in C, or in Java?
If it's written in Java, you will have to use JNI to link to the Windows API that will let you query group membership.
If it is written in C, you won't. You'll merely have to use the Windows API directly.
Try http://msdn.microsoft.com/.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| CShep |
| Posted: Thu Jan 13, 2005 8:01 am Post subject: non-trusted domain |
|
|
Novice
Joined: 20 Oct 2004
Posts: 22
Location: London, England
|
Is it possible to supply alternate user credentials when using the Windows client? The reason for asking, is that the client will be connecting from a non-trusted domain and as such I am unable to permission the objects on the Queue Manager.
Thanks,
Colin S
_________________
A friend in need is a pain in the @ss |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Jan 13, 2005 8:13 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| CShep |
| Posted: Thu Jan 13, 2005 8:23 am Post subject: |
|
|
Novice
Joined: 20 Oct 2004
Posts: 22
Location: London, England
|
Thanks for the advice - I'll have a look.
Rds,
Colin
_________________
A friend in need is a pain in the @ss |
|
| Back to top |
|
|
| Kaushal |
| Posted: Thu Jan 13, 2005 10:55 am Post subject: |
|
|
Newbie
Joined: 12 Jan 2005
Posts: 6
|
thanks alot guys for your reply,
Micheal, what is the difference between MQ client and the java program on the client side ? correct me if i am wrong but i think they are one and the same because the java program on the client side connects to the MQ server.
the credentials are passed to the MQ server from my java program, but obly the username not the password. The transport type that I am using is client. i have set the proper authorizations using the setmqaut command.
by the way my MQ client(or java program) and the MQ server are on the same machine.
Jeff, my security exit is written in java. i will look into the JNI feature also.thanks for that.
Regards,
Kaushal |
|
| Back to top |
|
|
| Kaushal |
| Posted: Thu Jan 13, 2005 1:31 pm Post subject: |
|
|
Newbie
Joined: 12 Jan 2005
Posts: 6
|
guys,
sorry the re-post, but i had to make some changes.
Micheal, what is the difference between MQ client and the java program on the client side ? correct me if i am wrong but i think they are one and the same because the java program on the client side connects to the MQ server and that's why it is called MQ client.
the credentials are passed to the MQ server from my java program, but only the username gets verfied not the password. I know this is beacuse the MQ does not provide authentication, we have to take care of it seperately; through SSL or Security Exits.
By the way my MQ client(java program) and the MQ server are on the same machine.
Jeff, my security exit is written in java. i will look into the JNI feature also. Thanks for that.
Anyone knows whether we can use SSPI here for authentication ?
Regards,
Kaushal |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Jan 13, 2005 1:42 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| Kaushal wrote: |
By the way my MQ client(java program) and the MQ server are on the same machine. |
If this is true, there is no need at all, just set connection to BINDINGS mode (look it up in the java manual)
In bindings mode and 'client' (as it is really no longer a client) program and MQ Server on the same machine, OS authentication in combination
with MQ authentication will take care of all requirements.
Please verify wether this is true, otherwise you make something very simple and very standard... into something very complicated! 
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| Kaushal |
| Posted: Fri Jan 14, 2005 3:38 pm Post subject: |
|
|
Newbie
Joined: 12 Jan 2005
Posts: 6
|
hi,
thanks for your reply michael. i am trying to put a security exit written in C in place at the server side. i am not able to get it done. i am using the SYSTEM.DEF.SVRCONN channel.
i have made the myexit.dll which in the C:/MQ/Data/Exits/ folder.
i am trying to add it to the channel by the following command:
alter channel(system.def.svrconn) chltype(svrconn) scyexit('nameofthedll(entrypoint)')
i restart my QMgr after the change. but still it is not getting called. is there anything i have missed to do ?
Also can anyone explain me how the security exit is called ? and
how are the exit reasons like MQXR_INIT, MQXR_INIT_SEC and MQXR_INIT_SEC, MQXR_SEC_MSG passed to it and who does that ?
i have read about it but it is very confusing.
Kaushal |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Fri Jan 21, 2005 1:36 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Take a look in the Intercommunication manual about how the various MQXR_INIT, MQXR_INIT_SEC, MQXR_INIT_SEC, MQXR_SEC_MSG is invoked.
I used the manual when writing the BlockIP exit long time ago, and I developed a test-exit, so I could see when the different states was executed.
There are only one approach to write an exit: Hard work. There are som short cuts available: Study some existing exits 
There are MQ-supportpack IC72.
BlockIP available here: http://mrmq.dk/BlockIP2.htm
Keep plumming.
Just my $0.02 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
|
|
