ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General Discussion » Security Exit on Sencer Channel

Post new topic  Reply to topic
 Security Exit on Sencer Channel « View previous topic :: View next topic » 
Author Message
mq_kid
PostPosted: Wed Sep 20, 2006 9:07 am    Post subject: Security Exit on Sencer Channel Reply with quote

Newbie

Joined: 20 Sep 2006
Posts: 2
Hi There,

I'm new to MQ area. I have a situation where my external verdor suggesting to use a security exit on my sender channel containing user id and password.
Here are my questions:
1. How should I compile it on my Sun Solaris box.
2. Once its compiled, how can I use it? Can I just save compiled version
on a specific folder and call it from my Sender Channel, Which
attribute I will be using it. Probably I can find out which attribute to use
it.
3. How simple/complex this procedure is?

Any help would be highly appreciated.

The suggested security exit is as follows:

This exit should be built and installed in the SDR channel transmitting
messages. For additional information please see the IBM MQSeries document MQSeries Intercommunication.

Sample Security Exit coded in C.
/*-----------------------------------------------------------------------*/
/*
/* Sample Sender Security Exit */
/* */
/* Replace the "A000Userid Password" for your company */
/* */
/* standard headers */
extern "C" {
#include <stdio.h>
#include <string.h>
#include <cmqc.h> /* For MQI datatypes */
#include <cmqxc.h> /* For MQI exit-related definitions */
void MQStart() {;} /* dummy entry point */
void MQENTRY MQCHLSEC( PMQCXP pChannelExitParams,
PMQCD pChannelsDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQBYTE pAgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr)
{
pChannelExitParams->ExitResponse = MQXCC_OK;
pChannelExitParams->Feedback = 0;
switch ( pChannelExitParams-> ExitReason )
{
case MQXR_INIT:
break;
case MQXR_INIT_SEC:
break;
case MQXR_SEC_MSG:
*pDataLength = 20;
pChannelExitParams->ExitResponse = MQXCC_SEND_SEC_MSG;
/******CHANGE userid/password in the following line:********/
strncpy( (char *)pAgentBuffer, "A000Userid Password\0", 21 );
/******END OF CHANGE userid/password:********************/
break;
case MQXR_TERM:
break;
default:
break;
} /* switch */
return;
} /* END OF void MQENTRY MQCHLSEC( */
} /* END OF extern "C" { */

Thank you,
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Sep 20, 2006 2:48 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
Security exits are not for the faint of heart. You need to be well versed in the MQ Documentation, have a good knowledge of c and the quirks of the different c compilers and linkers and follow the manuals...

Or just buy a solution from a vendor:
think Capitalware & many others...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
wschutz
PostPosted: Wed Sep 20, 2006 4:08 pm    Post subject: Reply with quote

Jedi Knight

Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
Quote:
For additional information please see the IBM MQSeries document MQSeries Intercommunication.

_________________
-wayne
Back to top
View user's profile Send private message Send e-mail AIM Address
RogerLacroix
PostPosted: Wed Sep 20, 2006 7:41 pm    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
Hi,

First read AND understand the following web page:
http://www.mqseries.net/phpBB2/viewtopic.php?t=20523

Any Java program can exploit this security hole. Here is an explanation of the problem that I wrote for MQ Visual Edit (a Java program).
http://www.mqseries.net/phpBB2/viewtopic.php?t=17842

It is a little more difficult to exploit in MQ Explorer, MO71 (MQMon), RFHUtil, etc.. but it can be done with a dummy client-side security exit like the one I posted here. When you use any client-side security exit, MQ automatically blanks out the UserId!!! Weird, but true.
http://www.mqseries.net/phpBB2/viewtopic.php?t=21782

As far as compiling it, look in the manuals: Intercommunication and Application Programming Guide.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
SJ
PostPosted: Thu Sep 21, 2006 8:55 am    Post subject: Reply with quote

Newbie

Joined: 02 May 2003
Posts: 8
Location: US
Roger, does the same security hole exit when using sender/receiver channels? I didn't think there was any userid information passed in the channel negotiation sequence for sender/receiver channels. I believe that is the reason for specifically asking for it via something like

Code:
       case MQXR_INIT_SEC:          /* initiate security exchange */
                *pDataLength = 9;
                pCEP->ExitResponse = MQXCC_SEND_SEC_MSG;
                strncpy( (char *) pAgentBuffer, "WHOAREYOU\0", 10 );
                break;


Regards Steve.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General Discussion » Security Exit on Sencer Channel
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.