| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Blocking IP Addresses From MQ |
« View previous topic :: View next topic » |
| Author |
Message
|
| Abishaik |
 Posted: Tue Apr 23, 2002 5:41 pm Post subject: |
 |
|
Newbie
Joined: 22 Apr 2002
Posts: 4
Location: Japan
|
I would like to limit the systems (Clients) that can connect to the MQ series server (Running on Win'2000). We wanted to make this restriction IP based and implicitly done my MQ. IP address cannot be entered by the Client as a part of the message, since that would defeat the purpose of the authentication. So, is there some way of identifying the IP of the connecting system implicitly?
This is basically to implement a client authentication mechanism. Any ideas/input in this regard, will be helpful.
_________________
Thanks,
Abishaik. |
|
| Back to top |
|
 |
| oz1ccg |
| Posted: Tue Apr 23, 2002 11:50 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
I guess you have to write a security exit to do the trick.
In the security exit you then can check the incomming IP_ADDR, which willl be presented in ConnectionName in MQCD(Channel data structure).
In support pack MS05 is a good begining on how to code souch an exit, but I'm sorry to tell that IBM have removed it from the supportpack site, if you want a sample, send me a mail, and I'll send it directly to you.
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| mrlinux |
| Posted: Wed Apr 24, 2002 4:50 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Well if you want to wait until June Websphere MQ v5.3 will support what you want to do without writing a security exit.
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| afra |
| Posted: Wed Dec 11, 2002 7:52 am Post subject: |
|
|
Novice
Joined: 11 Apr 2002
Posts: 12
|
Hi Jeff,
how can I block IP addresses using MQ 5.3 - I didn't find anything! |
|
| Back to top |
|
|
| MichaelR |
| Posted: Thu Dec 12, 2002 6:59 am Post subject: MQ blocking IP addresses... |
|
|
Apprentice
Joined: 20 May 2002
Posts: 37
Location: Tampa
|
I suspect Jeff was referring to the use of SSL with MQ 5.3. This involves the use of Digital Certificates for authentication, not IP addresses. DCerts would be preferred if you are using DHCP to assign IP addresses.
If you want to restrict incoming MQ connections based upon IP address, you will still need to implement an MQ security exit program. This applies to MQ 5.3 as well as 5.2.
As "oz1ccg" indicated, th eremotes IP address is contained in the CONNAME field of the MQCD structure. This is available to the host side when a Security Exit is invoked with exit reason MQXR_INIT_SEC.
While the documentation indicates that Security Exits typcailly work in "pairs", this is the exception. This method works without having to deploy a Security Exit to your clients.
Hope this helps....
MichaelR
 |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Sun Dec 22, 2002 1:39 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Hi Folks,
It's Christmas time and time for a small gift from me to all of you. I've just created a small secutity exit that can block incomming traffic based on the connection name as explained before in this thread.
The very tiny description says:
| Quote: |
BlockIP security exit, this exit is designed to only allow certain incoming MQSeries connection attempts, so the system MQSeries administrator can keep his system protected against intruders.
BlockIP gets information about what calls to pass from SCYDATA(), which allows trailing wildcard, like 172.20.* which will allow all incomming calls from the 172.20.xx.xx network. BlockIP only supports one mask, but you can use BlockIP on many channels to hopefully solve some of your needs. |
Currently it's tested on some Windows platforms.
you can find it on my tips and tricks page, just look for BlockIP:
http://d1o110.dk.telia.net/~u149101068/tips_and_tricks.htm
just my $0.02 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
