| Author |
Message
|
| RocknRambo |
 Posted: Mon Feb 15, 2010 6:24 am Post subject: MQAUSX |
 |
|
Partisan
Joined: 24 Sep 2003
Posts: 355
|
MQ Authenticate User Security Exit v1.3.0.
We are trying to implement the Capitalware Security product, in using the same - one of our test case is to validate the client connection to a Queue Manager, does the client has to install any component of Capitalware in their system ? or the product is entirely transparent to the client application?
we are looking for the paid server side security exits
Roger any comments?
--RR |
|
| Back to top |
|
 |
| Michael Dag |
| Posted: Mon Feb 15, 2010 6:58 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2602
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Mon Feb 15, 2010 7:02 am Post subject: Re: MQAUSX |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| RocknRambo wrote: |
MQ Authenticate User Security Exit v1.3.0.
We are trying to implement the Capitalware Security product, in using the same - one of our test case is to validate the client connection to a Queue Manager, does the client has to install any component of Capitalware in their system ? or the product is entirely transparent to the client application?
we are looking for the paid server side security exits
Roger any comments?
--RR |
Just the MQAUSX Jar file at the client side library.
YOu can also refer the documents that are provided by Roger in his capitalware site, everything is mentioned out there with the specific steps. ( All are categorised based on the platform).
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| RocknRambo |
| Posted: Mon Feb 15, 2010 9:16 am Post subject: |
|
|
Partisan
Joined: 24 Sep 2003
Posts: 355
|
Considering the latest version V1.5.0, do we still need to have some components (.jar) of Capitalware on the client application ?
Our application teams are reluctant to install any kind of software on their systems.
Any pointings?
--
RR |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Mon Feb 15, 2010 9:24 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| RocknRambo wrote: |
Considering the latest version V1.5.0, do we still need to have some components (.jar) of Capitalware on the client application ?
Our application teams are reluctant to install any kind of software on their systems.
Any pointings?
--
RR |
I didn't get a chance to work on 1.5.0, though was on 1.3.x versions.. and there it was required. I believe Roger or someone who worked on that would better suggest you....
I would still give emphasis on the docs that Roger used to provide. as I did follow them all the times, while implementation of the security exit. so you can follow them.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Feb 15, 2010 9:29 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9397
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| Considering the latest version V1.5.0, do we still need to have some components (.jar) of Capitalware on the client application ? |
Yes, as the Capitalware documentation describes. Follow the Capitalware installation instructions.
| Quote: |
| Our application teams are reluctant to install any kind of software on their systems. |
Smack them with something.
Yes, as suggested here, follow the Capitalware installation documentation.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Mon Feb 15, 2010 9:37 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| bruce2359 wrote: |
| Quote: |
| Considering the latest version V1.5.0, do we still need to have some components (.jar) of Capitalware on the client application ? |
Yes, as the Capitalware documentation describes. Follow the Capitalware installation instructions. |
Ya... logically thinking.. it has to be true and I agree on that as well.. as the functionality at the client side is hard to change all the way. I agree with you bruce2359.
| bruce2359 wrote: |
| Quote: |
| Our application teams are reluctant to install any kind of software on their systems. |
Smack them with something. |
there is nothing big change that they got to make ... just the inclusion of the jar file.. thats it.
there is nothing new.. when it comes to the application team.. they are always reluctant. but when it come to mq/middleware group.. they come by in no time.
smacking... hmmm.. .. not bad idea... dont use the baseball bat.  
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Feb 15, 2010 10:33 am Post subject: Re: MQAUSX |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hello RocknRambo,
I don't mind discussing MQAUSX in public but for faster support you can email Capitalware at support@capitalware.biz (or call me) as I usually check mqseries.net once a day (too busy writing code for new products these days). Also, you should be using MQAUSX v1.5.0 (it is a free upgrade).
| RocknRambo wrote: |
| We are trying to implement the Capitalware Security product, in using the same - one of our test case is to validate the client connection to a Queue Manager, does the client has to install any component of Capitalware in their system ? or the product is entirely transparent to the client application? |
MQAUSX is actually 3 products in one:
1.If the client application is configured with the client-side security exit then the user credentials are encrypted. This is the best level of security.
2.If the client application is not configured with the client-side security exit then the user credentials are sent in plain text. This feature is available for Java/JMS, Java and C# DotNet client applications. For native applications (i.e. C/C++), then the application must use and populate the MQCSP structure with the UserID and Password. (see the samples supplied in the Samples directory of the download archive or CD)
3.If the MQAdmin sets the MQAUSX IniFile parameter “NoAuth=Y” then it functions just like MQSSX. (MQSSX can verify incoming UserID and/or IP address but it does not authenticate user credentials.)
Please let me know if you have any questions or comments.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Feb 15, 2010 2:07 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7717
|
So #1 requires MQAUSX software on the client side and #2 and #3 do not.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Feb 15, 2010 2:16 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
| PeterPotkay wrote: |
| So #1 requires MQAUSX software on the client side and #2 and #3 do not. |
Exactly. 
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RocknRambo |
| Posted: Wed Mar 24, 2010 9:38 am Post subject: |
|
|
Partisan
Joined: 24 Sep 2003
Posts: 355
|
We are doing a quick POC on the MQAUSX implementation, wondering if we can achieve the following -
We have two queue managers (QM1 & QM2), there are applications interacting with QM1 & QM2 and there is a inter Queue Manager connection b/w QM1 and QM2
We want to implement MQAUSX for QM2 which is securing all the interactions which impacts all the applications which are connecting to QM2 using client-side exits and as well as the inter QM connection using server-side channel exit.
Now, the question we have is - Will there be an impact on the applications interacting with QM1? Can we just secure the inter queue manager connectivity b/w QM1 and QM2 and NOT disturb the applications interacting with QM1? is it possible or do we have options for the same ?
Thanks for any pointing,
-RR |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Mar 24, 2010 10:10 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| RocknRambo wrote: |
...
We want to implement MQAUSX for QM2 which is securing all the interactions which impacts all the applications which are connecting to QM2 using client-side exits and as well as the inter QM connection using server-side channel exit. |
By the way .. how you have planned to do that ?
| RocknRambo wrote: |
Now, the question we have is - Will there be an impact on the applications interacting with QM1? Can we just secure the inter queue manager connectivity b/w QM1 and QM2 and NOT disturb the applications interacting with QM1? is it possible or do we have options for the same ?
|
Have you been through the capitalware manuals?
Do you have cluster setup in the system ? If yes.. then as a suggestion you can ofcourse setup the cluster security between the queuemanagers within that cluster.
IF the applications are connecting to the qmgr say QMx then the channels got to be secured and set the params security exit name and security exit data.. as being instructed by Roger. If you face any problem then do lookup into the Log of mqausx exit.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Mar 24, 2010 10:22 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| Quote: |
| We are doing a quick POC on the MQAUSX implementation.. |
Most importantly take care of the PERMISSIONS over the FILES ( Some of'em do require the ROOT Level access ). Don't Miss it by any chance.
And but ofcourse mqausx.ini file and its parameters.
 [/quote]
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| RocknRambo |
| Posted: Wed Mar 24, 2010 10:44 am Post subject: |
|
|
Partisan
Joined: 24 Sep 2003
Posts: 355
|
shashi - May be I didn't phrase it correctly, My question is on - Can we configure a queue manager such that only selected channels are secured. Lets say QM1 has 5 sndr/rcvr channels which are used by 5 different applications (one each), can we secure only 2 sndr/rcvr channels such that the other 3 applications have NO impact.
again this is a question, looking for feasibility options
Thanks
-RR |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 24, 2010 10:55 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| RocknRambo wrote: |
shashi - May be I didn't phrase it correctly, My question is on - Can we configure a queue manager such that only selected channels are secured. Lets say QM1 has 5 sndr/rcvr channels which are used by 5 different applications (one each), can we secure only 2 sndr/rcvr channels such that the other 3 applications have NO impact.
again this is a question, looking for feasibility options
Thanks
-RR |
This is like closing the barn door after the horses left...
You either secure all channels and attached qmgrs on the MQ network or you don't have a secure qmgr.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
