| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| WMQ Explorer with Client Security Exit |
« View previous topic :: View next topic » |
| Author |
Message
|
| Mirage |
 Posted: Wed May 26, 2010 7:52 am Post subject: WMQ Explorer with Client Security Exit |
 |
|
Apprentice
Joined: 30 Nov 2004
Posts: 44
Location: IL
|
Hi,
We are facing a weird issue with WMQ Explorer (V7) and the Client Side Security exit. The issue is that WMQ Explorer is invoking the user exit for every action we take within the QM after initial connection.
More Info:
1. We've a Java Client user exit configured with the WMQ Explorer and a corresponding C Server exit on the server side.
2. When we initially connect to the QM, the java user exit will prompt for the Password.
3. The password is validated with our LDAP server first and if its a valid password then the client user exit works insync with the server user exit and opens the connection on the channel with the user id as MCAUSER
This is working great.
The problem is that, after you connect to the QM, for every browse/put operation within Explorer the user exit is invoked.
From the user exit logs we can see that Explorer is opening a new connection for every put/browse and hence our client user exit gets executed and hence the prompt for password.
This is an annoying issue, since as an Admin, you may want to browse queues to resolve issues and for every browse we get the password prompt, even after connecting to the QM.
We have both V7 and V6 queue managers in our environment and with V7 queue managers, when we set the Shared Conversations to 10, WMQ explorer does not invoke the user exit for every browse/put. If we change the Shared Conversations to 0 then for every browse the user exit is invoked.
Since shared conversations is not supported on V6, we see the user exit invoking every time on V6 QM's.
Questions:
Why doesn't MQ Explorer use the same connection that it got when we initially connected to a QM? [like a Java App]
Why does it needs a connection for every browse you do?
Is there a way to set like a connection pool within MQ Explorer? [like a multithreaded Java App]
Are there any other options that we can use in coding the client security exit, like to keep track of the current connection or to check if already connected ..etc?
Pleae share your thoughts and how this issue can be resolved. Please let me know if any of the above information is incomplete and if more details are needed.
I've searched the forum and I'm now aware that Capitalware Inc's exit has a similar functionality. [validating users with LDAP from WMQ Explorer]. I'm wondering how this issue with multiple invocations is fixed?
We do have BlockIP2 configured in test environment, but we would like to use this custom user exit with only WMQ Explorer and restrict the access only to Admin's.
Thanks
Raghu |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed May 26, 2010 2:27 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Are you sure you are using the SECURITY exit? You are writing about "user" exit... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed May 26, 2010 3:04 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| fjb_saper wrote: |
| Are you sure you are using the SECURITY exit? You are writing about "user" exit... |
"channel security exit" is one of the many possible "user exits" that users can write for MQ.
Looks like MQ and Explorer are behaving as designed and the security exit (no source was given) is not handling authentication of multiple connects to the same qmgr from the same client user.
_________________
Glenn |
|
| Back to top |
|
|
| Mirage |
| Posted: Thu May 27, 2010 5:32 am Post subject: |
|
|
Apprentice
Joined: 30 Nov 2004
Posts: 44
Location: IL
|
| gbaddeley wrote: |
"channel security exit" is one of the many possible "user exits" that users can write for MQ.
Looks like MQ and Explorer are behaving as designed and the security exit (no source was given) is not handling authentication of multiple connects to the same qmgr from the same client user. |
Hi,
Could you please elaborate more on how this can be achieved within the client security exit?
I'll post the source code of our exit in another post. Please check the source code.
Thanks. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu May 27, 2010 12:22 pm Post subject: Re: WMQ Explorer with Client Security Exit |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| Mirage wrote: |
| The issue is that WMQ Explorer is invoking the user exit for every action we take within the QM after initial connection. |
Yes, that is exactly what will happen. MQ Explorer was not written to be client-side security exit friendly. Nothing is reused.
MQ Explorer was written so that every action causes a new thread to be started and a new connection request to be started.
SupportPac MO71 and IH03 (rfhutilc) have similar issues. Even my own MQ Visual Edit/Browse products have similar issues.
| Mirage wrote: |
1. We've a Java Client user exit configured with the WMQ Explorer and a corresponding C Server exit on the server side.
2. When we initially connect to the QM, the java user exit will prompt for the Password.
3. The password is validated with our LDAP server first and if its a valid password then the client user exit works insync with the server user exit and opens the connection on the channel with the user id as MCAUSER |
 My that sounds way, way too much like MQAUSX. Since MQAUSX was launched in April 2005, sounds like someone "may" have done a little reverse engineering. 
| Mirage wrote: |
| Why doesn't MQ Explorer use the same connection that it got when we initially connected to a QM? [like a Java App] |
Because that is not how it is written.
| Mirage wrote: |
| Why does it needs a connection for every browse you do? |
Because that is how it is written.
| Mirage wrote: |
| Is there a way to set like a connection pool within MQ Explorer? [like a multithreaded Java App] |
No.
| Mirage wrote: |
| Are there any other options that we can use in coding the client security exit, like to keep track of the current connection or to check if already connected ..etc? |
Yes. The answers are here.
| Mirage wrote: |
| I've searched the forum and I'm now aware that Capitalware Inc's exit has a similar functionality. [validating users with LDAP from WMQ Explorer]. I'm wondering how this issue with multiple invocations is fixed? |
By working closely with IBM.
WMQ v7 is riddled full of problems related client-side security exits. i.e. MQ Explorer, Java, .NET, native, etc.. I have at least 5 PMRs for issues for v7.0.0.0, v7.0.0.1, v7.0.1.0, v7.0.1.1 and v7.0.1.2. All of these eFixes are shared with our customers as soon as IBM makes them available.
Imitation is the sincerest form of flattery
Sorry, but I'm not amused (not at all!!!).
There is a show stopper bug in WMQ v7.0.1 & higher that will totally break your stuff.
http://www.mqseries.net/phpBB2/viewtopic.php?t=53780
Sometimes paying for a product and its support is well worth it!!!
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| Mirage |
| Posted: Thu May 27, 2010 1:22 pm Post subject: Re: WMQ Explorer with Client Security Exit |
|
|
Apprentice
Joined: 30 Nov 2004
Posts: 44
Location: IL
|
| RogerLacroix wrote: |
My that sounds way, way too much like MQAUSX. Since MQAUSX was launched in April 2005, sounds like someone "may" have done a little reverse engineering.
Imitation is the sincerest form of flattery
Sorry, but I'm not amused (not at all!!!).
Sometimes paying for a product and its support is well worth it!!!
|
Thanks for your response Roger.
I would like to clarify that there was no reverse engineering or copying of MQAUSX is done.
This exit is written with the help of our Host team and MQ+Java teams and LDAP is used in our case as a replacement for the native RACF authentication that is already available on Host.
We did get few ideas from BlockIP2 [overwriting MCAUSER]
Yes, we did face an issue with MQ 7.0.1.1 and java sec exit. We've opened a PMR and received the eFix IZ69820.
So, it looks like we do not have a way to overcome the new invocations with MQ Explorer from our code, as this is how MQ Explorer is designed.
I'm glad to get the confirmation from experts. We'll probably wait till we go to V7 in our environment to implement this new feature.
I do like the features that are available in your Product Roger. Its a call that has to be made at a higher level to purchase a product at our company, but yes, now I know that there is a product out there for our needs.
Thanks for your help  |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu May 27, 2010 1:42 pm Post subject: Re: WMQ Explorer with Client Security Exit |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| Mirage wrote: |
| Yes, we did face an issue with MQ 7.0.1.1 and java sec exit. We've opened a PMR and received the eFix IZ69820. |
Yes, that is one of the ones that I worked on with IBM at the beginning of February.
| Mirage wrote: |
| I do like the features that are available in your Product Roger. Its a call that has to be made at a higher level to purchase a product at our company, but yes, now I know that there is a product out there for our needs. |
You are more than welcome to try out MQAUSX. We offer free trial periods and the trial period includes free support (phone, email, help desk, etc..)
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
