| Author |
Message
|
| RogerLacroix |
 Posted: Tue Jan 25, 2005 10:50 pm Post subject: Wanted Beta Testers |
 |
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
This is an open invitation for the MQ community to freely test a new solution from Capitalware Inc.
The MQ Authenticate User Security Exit is a new solution that allows a company to fully authenticate a user who is accessing a WebSphere MQ resource. It verifies the User's UserID and Password (and possibly Domain Name) against the server's native OS system (or domain controller).
The security exit will operate with WebSphere MQ v5.3 (and MQSeries v5.2) in Windows, Unix and Linux environments. It works with Server Connection Channels and / or Client Connection Channels of WebSphere MQ queue manager.
The Authenticate User Security Exit solution is comprised of 2 components: client-side security exit and server-side security exit.
Supported server-side security exit for the beta:
- IBM AIX
- HP-UX
- Linux - Red Hat
- Sun Solaris
- Windows XP/NT/2000/20003
Tested client-side security exit:
- IBM's MQ Explorer
- SupportPac MO71 (MQMon)
- IBM's WBIMB Eclipse Tool Kit
- Mercury's SiteScope
- Capitalware's MQ Visual Edit
- Capitalware's MQ Visual Browse
- Capitalware's MQ Batch Toolkit
- Any program that uses Client Channel Tables (i.e. SupportPac MS03)
Click here to read an overview of MQ Authenticate User Security Exit.
To join this free beta program, click this link.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Wed Jan 26, 2005 8:59 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
I forgot to mention that the beta will run from now until March 31, 2005.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Feb 28, 2005 8:38 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
I have added 2 new features to the MQ Authenticate User Security Exit solution. The new features are:- Limit the number of incoming channel connections on a SVRCONN channel.
- Allow or restrict incoming IP address against a regular expression pattern
MQAUSX is using a basic regular expression parser that I put together. Here is a list of its major features:'*' matches any sequence of characters (zero or more)
'?' matches any single character
[SET] matches any character in the specified set,
[!SET] matches any character not in the specified set. Click here to read an overview of MQ Authenticate User Security Exit.
The beta program will run from now until March 31, 2005.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Mar 01, 2005 4:23 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7716
|
| RogerLacroix wrote: |
The new features are:
Limit the number of incoming channel connections on a SVRCONN channel.
|
Roger, how are you accomplishing this? The link provided did not explain. The reason I ask is that we are starting to play with Support Pack ME71, and wonder if MQAUSX can provide all we need in this regard (max channel instances for a SVRCONN) as well.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Mar 01, 2005 5:26 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi Peter,
| Quote: |
| Roger, how are you accomplishing this? |
Magic!   Ah come on, you want me to give out ALL my secrets. Actually, after some initial verification & validation, the server-side security exit issues a PCF command for that particular channel. Yes, there is some overhead in issuing the PCF command but I've kept it to a minimum.
| Quote: |
| The reason I ask is that we are starting to play with Support Pack ME71 |
ME71 is a very robust exit in that it calculates max connection for each channel and for the entire queue manager plus it saves the state of these connections across calls.
| Quote: |
| wonder if MQAUSX can provide all we need in this regard (max channel instances for a SVRCONN) as well. |
I hope so.
Actually, some of my beta testers have expressed an interest me creating a non-Authenticate User Security Exit but with all the features of MQAUSX. In other words, there would only be a server-side security exit (no client-side) with the following features:
- Allow or restrict incoming UserID against regular expression patterns
- File based UserID lookup (just UserID no password) - I'm not sure about this one!
- Proxy ID support / substitution
- Allow or restrict incoming IP address against regular expression patterns
- Limit the number of incoming channel connections on a SVRCONN channel.
- Allow or restrict the use of 'mqm', 'MUSER_MQADMIN' or 'QMQM' UserIDs
If my beta testers don't report any show stopper bugs, then I'll create this security exit this week.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Mar 02, 2005 5:55 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7716
|
We need the functionality of ME71 until IBM makes this part of the base product (the ability to limit the # of channel instances). We kept putting it off, as I did not want to go into production with a Cat 2 Pack.
It would be ideal if MQAUSX did this. When I ask how you do it, it is for these 2 reasons:
1.)How do I tell Channel#1 to allow 100 connections? or 10 Connections? i.e. how do I configure this option in MQAUSX?
2.)ME71 warns of performance implicatrions in a failover situation, as hundreds of channels all try and start up on QM2, ME71 has a lot of putting and getting to do from dynamic queues. Will MQAUSX have the same problem? (don't know how big a problem that is)
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Mar 02, 2005 8:32 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi,
| Quote: |
| It would be ideal if MQAUSX did this. |
That's my goal. To make MQAUSX very attractive.
| Quote: |
| 1.)How do I tell Channel#1 to allow 100 connections? or 10 Connections? i.e. how do I configure this option in MQAUSX? |
For those beta testers that have joined the beta test program, this information is in chapter 3.4 of the manual.
Basically, it is controlled by putting your channel name and max limit in the iniFile.
i.e.
| Code: |
SYSTEM.ADMIN.SVRCONN=5
ABC.CH01=50
DEF.CH01=40
SYSTEM.DEF.SVRCONN=5
DefaultMCC=25 |
The 'DefaultMCC' means if the channel name is not in the iniFile then use this default value for max number of channel connections.
| Quote: |
| 2.)ME71 warns of performance implicatrions in a failover situation, as hundreds of channels all try and start up on QM2, ME71 has a lot of putting and getting to do from dynamic queues. Will MQAUSX have the same problem? (don't know how big a problem that is) |
Yes, I would agree with that statement.
I decided not to add such robust functionality. I went with the KIS approach. If the 'UseMCC' keyword is missing or set to 'N' then no PCF commands are sent.
If the 'UseMCC' keyword is 'Y' AND the channel name is found in the iniFile (or DefaultMCC) then after the server-side security exit has done some validation & verification of the incoming security request then it does the PCF command:
| Code: |
MQCONN
MQOPEN TempQ
MQPUT1 to Command Server
MQGET reply
MQCLOSE
MQDISC |
Therefore, there is a performance hit when switching on MCC but appears to be in the 150 ms range. I will need to do some performance testing to get an exact number (it may be even lower!!!).
MQAUSX does NOT save the state of the 'number of connections' or 'limits' or 'max number of connections' to temp queues like ME71. Saving state is not a bad thing; I just chose to keep it as simple as possible.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Mar 09, 2005 10:54 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
I have created a new beta release of MQAUSX that includes the following features:
- Ability to turn off authentication with 'NoAuth' keyword
- Allow or restrict incoming UserID against a regular expression pattern when NoAuth is enabled.
- Added the AllowBlankUserID keyword that is only used when NoAuth is enabled.
When authentication is turned off, all other features of the server-side security exit function as normal. A client-side security exit is not required when authentication is turned off.
Now you have a solution that covers all types of security exit needs.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Mar 14, 2005 8:49 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
All,
I have created a new security exit called MQ Standard Security Exit. It is a non-authenticating security exit. In other words, there is only a server-side security exit (no client-side exit). Basically, it is equivalent to the MQ Authenticate User Security Exit with the NoAuth keyword set to yes.
It has all the features of MQ Authenticate User Security Exit (except the authentication feature was removed). Here is a list of features:
- Allow or restrict the incoming UserID against a regular expression pattern
- Proxy ID support
- Allow or restrict the incoming IP address against a regular expression pattern
- Limit the number of incoming channel connections on a SVRCONN channel.
- Allow or restrict the use of 'mqm', 'MUSER_MQADMIN' or 'QMQM' UserIDs
Supported server-side security exit platforms for the beta:
- IBM AIX
- HP-UX
- Linux - Red Hat
- Sun Solaris
- Windows XP/NT/2000/20003 Click here to read an overview of MQ Standard User Security Exit.
To join this free beta program, click this link.
The beta program will run from now until March 31, 2005.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| GregJ |
| Posted: Wed Mar 16, 2005 10:36 am Post subject: |
|
|
Acolyte
Joined: 24 Oct 2001
Posts: 69
Location: Markham, On. Canada
|
I was playing with ME71 in my windows environment, but have yet to have it successfully compiled in Hp Ux. I downloaded your Standard Security Exit this morning, and have already got it working as I had hoped it would in both my Hp Ux and windows env's.
Me, I like it.....
G |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Mar 17, 2005 7:27 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Excellent.  It is nice to have happy users.
And to continue that feeling, I have extended the beta program until the end of April.
There has been a large rush of people joining the beta program over the last 2 weeks. I am still proceeding with the GA versions of the products in April but to give the new people time to test and to give some overlap between the beta program and the GA release, I have extended the beta program until April 30, 2005.
To join this free beta program, click this link.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| webguynj |
| Posted: Thu Mar 17, 2005 1:34 pm Post subject: OS400? |
|
|
Newbie
Joined: 09 Mar 2005
Posts: 2
|
| Do you have any plans to implement this on the OS400 platform? |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Mar 17, 2005 2:02 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi,
I have had limited interested in a version for OS/400. The z/OS crowd and even zLinux crowd have requested those versions with the 'if you built, they will come'.
Actually, a colleague has given me access to an OS/400 box with a C compiler but since the 'z' crowd have been very proactive/vocal, I'm building the exits for those environments first.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Mar 17, 2005 4:23 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7716
|
Roger, barring any problems, do you see Version 1.0 ( the official release we can start deploying) coming out on 05-01-2005?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Mar 17, 2005 4:39 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi Peter,
Assuming no show stopper bugs, no new cool 'user requested' features, then the GA date is Monday April 4, 2005.
So if I have money in hand,  then you can deploy on April 4, 2005.
Like I mentioned, there will be some overlap between the GA product and beta test program. Actually, I will probably not take any more 'new' people into the beta program after April 4.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
