| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
 |
|
| Wanted Beta Testers |
« View previous topic :: View next topic » |
| Author |
Message
|
| RogerLacroix |
 Posted: Tue Jan 25, 2005 10:48 pm Post subject: Wanted Beta Testers |
 |
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
This is an open invitation for the MQ community to freely test a new solution from Capitalware Inc.
The MQ Authenticate User Security Exit is a new solution that allows a company to fully authenticate a user who is accessing a WebSphere MQ resource. It verifies the User's UserID and Password (and possibly Domain Name) against the server's native OS system (or domain controller).
The security exit will operate with WebSphere MQ v5.3 (and MQSeries v5.2) in Windows, Unix and Linux environments. It works with Server Connection Channels and / or Client Connection Channels of WebSphere MQ queue manager.
The Authenticate User Security Exit solution is comprised of 2 components: client-side security exit and server-side security exit.
Supported server-side security exit for the beta:
- IBM AIX
- HP-UX
- Linux - Red Hat
- Sun Solaris
- Windows XP/NT/2000/20003
Tested client-side security exit:
- IBM's MQ Explorer
- SupportPac MO71 (MQMon)
- IBM's WBIMB Eclipse Tool Kit
- Mercury's SiteScope
- Capitalware's MQ Visual Edit
- Capitalware's MQ Visual Browse
- Capitalware's MQ Batch Toolkit
- Any program that uses Client Channel Tables (i.e. SupportPac MS03)
Click here to read an overview of MQ Authenticate User Security Exit.
To join this free beta program, click this link.
The beta program will run from now until April 30, 2005.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Last edited by RogerLacroix on Sun Apr 03, 2005 8:53 pm; edited 2 times in total |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Mon Feb 28, 2005 6:20 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
I have added 2 new features to the MQ Authenticate User Security Exit solution. The new features are:- Limit the number of incoming channel connections on a SVRCONN channel.
- Allow or restrict incoming IP address against a regular expression pattern MQAUSX is using a basic regular expression parser that I put together. Here is a list of its major features:'*' matches any sequence of characters (zero or more)
'?' matches any single character
[SET] matches any character in the specified set,
[!SET] matches any character not in the specified set. Click here to read an overview of MQ Authenticate User Security Exit.
To join this free beta program, click this link.
The beta program will run from now until April 30, 2005.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Last edited by RogerLacroix on Thu Mar 17, 2005 7:28 am; edited 1 time in total |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Mar 09, 2005 10:56 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
I have created a new beta release of MQAUSX that includes the following features:
- Ability to turn off authentication with 'NoAuth' keyword
- Allow or restrict incoming UserID against a regular expression pattern when NoAuth is enabled.
- Added the AllowBlankUserID keyword that is only used when NoAuth is enabled.
When authentication is turned off, all other features of the server-side security exit function as normal. A client-side security exit is not required when authentication is turned off.
Now you have a solution that covers all types of security exit needs.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Mar 14, 2005 8:55 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
I have created a new security exit called MQ Standard Security Exit. It is a non-authenticating security exit. In other words, there is only a server-side security exit (no client-side exit). Basically, it is equivalent to the MQ Authenticate User Security Exit with the NoAuth keyword set to yes.
It has all the features of MQ Authenticate User Security Exit (except the authentication feature was removed). Here is a list of features:
- Allow or restrict the incoming UserID against a regular expression pattern
- Proxy ID support
- Allow or restrict the incoming IP address against a regular expression pattern
- Limit the number of incoming channel connections on a SVRCONN channel.
- Allow or restrict the use of 'mqm', 'MUSER_MQADMIN' or 'QMQM' UserIDs
Supported server-side security exit platforms for the beta:
- IBM AIX
- HP-UX
- Linux - Red Hat
- Sun Solaris
- Windows XP/NT/2000/20003 Click here to read an overview of MQ Standard User Security Exit.
To join this free beta program, click this link.
The beta program will run from now until April 30, 2005.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Mar 17, 2005 7:30 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
I have extended the beta program until the end of April.
There has been a large rush of people joining the beta program over the last 2 weeks. I am still proceeding with the GA versions of the products in April but to give the new people time to test and to give some overlap between the beta program and the GA release, I have extended the beta program until April 30, 2005.
To join this free beta program, click this link.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Mar 21, 2005 9:44 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
Last week a couple of people on the MQ ListServer expressed concerns over a situation when a queue manager has high levels (thousands) of connections and when the security exit has 'max channel connection' feature enabled, the issuing of a PCF command per connection would cause excessive overhead.
One of the suggestion was to use shared memory and walk through it to find / store the channel count and another was to do something similar to SupportPac ME71 and store the information in a queue.
After thinking about it for a while, I concluded that under a load of thousands of connections, the architect / design of SupportPac ME71, would cause excessive overhead too (getting & putting to its status queue).
Now the idea of using shared memory is good, but has 2 problems:
(1) Walking through 100 over more channels in shared memory is still overhead (i.e. string compares)
(2) How do you know the counter in shared memory is accurate? What if the MQ Admin adds the exit definition to a running channel or what if they remove the definition from a channel then add it back in an hour or the next day. The values in shared memory would be totally out of sync.
So, here's the design that I came up with and I believe that it addresses all of these issues, along with any concerns about speed / overhead.
Each active channel will allocate its own very small piece of shared memory (no common shared memory). Therefore, there is no walking (string compares) through shared memory looking for the matching channel name.
To keep the shared memory in sync with what is really happening with active channel, I have introduced 2 new iniFile keywords to control the refreshing of the shared memory by issuing a PCF command after 'x' seconds or 'n' connections attempts. I have set the default values for 60 seconds and 100 connection attempts. But for queue managers with thousands of active channels, the user can increase these values to keep the overhead to a minimum. I.e. 600 seconds and 1000 connection attempts
I have created and deployed the security exits with the new 'max channel connection' design. It is now extremely fast even when 'max channel connection' feature is enabled
To join this free beta program, click this link.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| kiran123 |
| Posted: Tue Apr 19, 2005 12:57 pm Post subject: MQAUSX |
|
|
Guest
|
Hello there,
We are actually using the beta version, I installed the product on one of our linux boxes. I am using MQVisual Edit to make a client connection with the QMgr. When i give the user name and pwd, its not allowing me to connect. But when i give NoAuth=Y in the initialization file, then without asking the userid or pwd its connecting. Have anyone of you used this beta version. I need to know how to restrict the user access. Any help would be really appreciated.
Thanks |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Apr 19, 2005 1:19 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi,
On the server-side, what does it say in the logfile? i.e. /var/mqm/exits/mqausx.log
What OS and MQ version are you using on the server-side?
(1) If it is Windows, did you follow the information in section 3.1 of the MQAUSX Operation Manual ?
(2) If it is Unix/Linux, did you EXACTLY follow the information in section 3.2 of the MQAUSX Operation Manual ?
If you do NOT follow the security procedures then the security exit will fail.
To help resolve the issue, as per the manual, the LogMode iniFile parameter has 3 values: Q / N / V
Update the server-side iniFile, so that LogMode is set to V.
Delete your server-side logfile and then do the test again. Please post your logfile (or email it to me).
| Quote: |
| Have anyone of you used this beta version. |
Yes, there are a large number of users in the beta test program. I personally have successfully tested all platforms in the beta.
Regards,
Roger Lacroix
Captialware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| kiran123 |
| Posted: Wed Apr 20, 2005 6:11 am Post subject: log and ini files |
|
|
Guest
|
Here's the log file. However I could see that i am not passing the remote userid, Actually were do we specify this userid.
2005/04/20 08:51:16 INFO MQAUSX #01992: ----------------------------------------------------------------------
2005/04/20 08:51:16 INFO MQAUSX #01998: MQAUSX version 0.0.8beta
2005/04/20 08:51:16 INFO MQAUSX #02001: SequenceNumberFlag = N
2005/04/20 08:51:16 INFO MQAUSX #02004: IniFile = /var/mqm/exits/mqausx.ini
2005/04/20 08:51:16 INFO MQAUSX #02007: LogMode = V
2005/04/20 08:51:16 INFO MQAUSX #02010: NoAuth = Y
2005/04/20 08:51:16 INFO MQAUSX #02013: UseAllowIP = N
2005/04/20 08:51:16 INFO MQAUSX #02016: UseMCC = N
2005/04/20 08:51:16 INFO MQAUSX #02019: Allowmqm = N
2005/04/20 08:51:16 INFO MQAUSX #02022: AllowBlankUserID = N
2005/04/20 08:51:16 INFO MQAUSX #02025: UseProxy = N
2005/04/20 08:51:16 INFO MQAUSX #02028: UseFBV = N
2005/04/20 08:51:16 INFO MQAUSX #02031: UseServerName = N
2005/04/20 08:51:16 INFO MQAUSX #02035: LogFile = /var/mqm/exits/mqausx.log
2005/04/20 08:51:16 INFO MQAUSX #02038: AllowUserID = kvaddir
2005/04/20 08:51:16 INFO MQAUSX #02041: AllowIP = *
2005/04/20 08:51:16 INFO MQAUSX #02044: MaxChlConn = 0
2005/04/20 08:51:16 INFO MQAUSX #02047: MCCRedoSeconds = 60
2005/04/20 08:51:16 INFO MQAUSX #02050: MCCRedoCount = 100
2005/04/20 08:51:16 INFO MQAUSX #02053: ProxyFile= proxy.lst
2005/04/20 08:51:16 INFO MQAUSX #02056: ServerName =
2005/04/20 08:51:16 INFO MQAUSX #02059: FBVFile = userlist.auth
2005/04/20 08:51:16 INFO MQAUSX #02844: Computer host name is 'lin2dev'
2005/04/20 08:51:16 INFO MQAUSX #01246: IniFile=/var/mqm/exits/mqausx.ini
2005/04/20 08:51:16 INFO MQAUSX #01251: SecurityExitPath=/var/mqm/exits/
2005/04/20 08:51:16 INFO MQAUSX #01256: QMgrName=IBA1DEV
2005/04/20 08:51:16 INFO MQAUSX #01261: ChannelName=SYSTEM.ADMIN.SVRCONN
2005/04/20 08:51:16 INFO MQAUSX #01266: ConName=10.2.52.187
2005/04/20 08:51:16 INFO MQAUSX #01271: RemoteUserId=
2005/04/20 08:51:16 INFO MQAUSX #01275: --------------
2005/04/20 08:51:16 INFO MQAUSX #00356: RemoteUserId=
2005/04/20 08:51:16 ERROR MQAUSX #00583: Connection cannot have a blank UserID value.
2005/04/20 08:51:16 ERROR MQAUSX #01142: Connection rejected for QMgr='IBA1DEV' ChlName='SYSTEM.ADMIN.SVRCONN' ConName='10.2.52.187' RemoteUserID=''
and here's my ini file
LogMode=V
LogFile=/var/mqm/exits/mqausx.log
UseFBV = N
UseAllowIP=N
UseMCC=N
Allowmqm=N
NoAuth=Y
AllowBlankUserID=N
UseProxy=N
UseServerName=N
AllowUserID=kvaddir
I have configured the MQ visual edit as per the documentation only.
Thanks
Kiran |
|
| Back to top |
|
|
| kiran123 |
| Posted: Wed Apr 20, 2005 7:07 am Post subject: MQAUSX |
|
|
Guest
|
Hello,
I installed MQAUSX on linux box, and followed the steps of 3.2 in operational manual. I guess everything is fine on server side, but the problem is on the client side, As you can see in my previous post, that i am not sending any userid. thats why i am not able to establish connection. I configured the MQ visual edit as per the operational manual only. but where do we specify the userid and password. Its not asking me the uid and pwd with the ini file as given in previous post. I hope i am narrowing the problem.
Thanks for the help. [/quote] |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Apr 20, 2005 8:42 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi,
| Quote: |
| However I could see that i am not passing the remote userid, Actually were do we specify this userid. |
In MQ Visual Edit, you specify the UserID on the 'Queue Manager Access Profile' window. i.e. File -> Open, select queue manager, click the Edit button. (UserID is the 3rd field.)
When you set NoAuth to Y then MQAUSX acts just like MQSSX, meaning that the client-side security exit is NOT REQUIRED. This is server-side only validation.
To do full authentication, remove NoAuth=Y or set NoAuth to N and then configure MQ Visual Edit as per the documentation. The RemoteUserID will not be used in full authentication mode. When you attempt to connect to the queue manager using MQ Visual Edit, the client-side security will popup a window asking for UserID, password and server-name. Fill the fields in and click ok.
Also, when setting the Jar file Location in MQ Visual Edit, use the Browse button because a typo is really easy and MQ Visual Edit will not complain about the typo (yes this is a bug!!).
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
