| Author |
Message
|
| joaquini |
 Posted: Fri Jul 01, 2011 5:45 am Post subject: MQ Security exit configuration step by step |
 |
|
Newbie
Joined: 01 Jul 2011
Posts: 9
|
Hello team
I have been investigating about Security exits in many information, but I have a problems with the programming theme to understand how to works with MQ connection in client and Server side, do you have a document to show me step by step this integration? |
|
| Back to top |
|
 |
| joaquini |
| Posted: Fri Jul 01, 2011 5:49 am Post subject: |
|
|
Newbie
Joined: 01 Jul 2011
Posts: 9
|
One more thing I want to add
I understand once the C program is done, and a set the policy are established we need to indicate in the channel parameter SCYEXIT and SCYDATA, I try to understand how to link the variables with the MQ C program in order to adjust my solution, but I haven’t have success. My question here is do you have some examples of security exits to fit our solution? Or if I need to follow up other path let me know. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jul 01, 2011 5:58 am Post subject: Re: MQ Security exit configuration step by step |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
| joaquini wrote: |
I have been investigating about Security exits ... |
Where exactly have you been investigating?
Have you read the appropriate portions of the WMQ Application Programming Reference? The WMQ Application Programming Guide? Have you searched Google? What else?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 01, 2011 7:03 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| joaquini wrote: |
| I try to understand how to link the variables with the MQ C program in order to adjust my solution, but I haven’t have success. My question here is do you have some examples of security exits to fit our solution? Or if I need to follow up other path let me know. |
You need to be aware that exits are an advanced WMQ topic with serious risks attached. A poorly written exit will kill queue manager performance, a badly written exit will kill the queue manager.
You need to be very comfortable with C, have fully read the relevant sections in the APG, reviewed the very helpful information Roger has posted in this forum and be very certain what you're trying to do and why.
Which brings up an important point. You've not said one word why you're trying to write a security exit. So we can't advise you on the path to follow. You need to provide a few details of what you're trying to achieve and why you feel the in-built security features of WMQ (like the SSL support) do not meet your needs to get advice.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| joaquini |
| Posted: Fri Jul 01, 2011 7:56 am Post subject: |
|
|
Newbie
Joined: 01 Jul 2011
Posts: 9
|
Thanks a lot for your prompt response
this is my situation
I have a doubt in WMQ and I would like to ask it. We are looking for to establish Security in a channel CHLTYPE(SVRCONN), the situation here is, the clients uses java applications (JMS), they normally use the channel (SYSTEM.DEF.SVRCONN) to connect to queue managers, there is not restrictions in this channel therefore the channel is vulnerable, the client doesn’t send from the client the user and password to connect to the queue manager so that the userid that send is the authenticated user when the client is login to the system.
I did tests using MCAUSER parameter in the new defined channel and it works fine, but the problem here is if someone knows the channel name any other user can access to the MQ objects.
I was investigating a solution that the channel authenticate the user and password, even to restrict the ip-client as well, documentation says that the one of the solution is to use security exits, I was checking this part but this involve C programming and MQ variables, I understand once the C program is done, and a set the policy are established we need to indicate in the channel parameter SCYEXIT and SCYDATA, I try to understand how to link the variables with the MQ C program in order to adjust my solution, but I haven’t have success. My question here is do you have some examples of security exits to fit our solution?
Also according with your comment I will check the programming section and the information I need to read
I know C and a little bit C++, do I need to know more C++?
Thanks a lot |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 01, 2011 8:19 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| joaquini wrote: |
| they normally use the channel (SYSTEM.DEF.SVRCONN) to connect to queue managers |
Point one - no application should use any SYSTEM object. Define a discrete SVRCONN for each application.
| joaquini wrote: |
| the problem here is if someone knows the channel name any other user can access to the MQ objects. |
Point two - the MCAUser should allow access only to the WMQ objects needed by the application in question, and only for the functions it needs (it shouldn't have get authority to a queue it only puts to).
Point three - if you're using SSL they need the correct credentials as well as the channel name.
| joaquini wrote: |
| I was investigating a solution that the channel authenticate the user and password, even to restrict the ip-client as well |
Point four - it you want to restrict ports, use BlockIP2.
| joaquini wrote: |
| My question here is do you have some examples of security exits to fit our solution? |
No, because using the inbuilt facilities removes the need for such an exit.
IMHO you'll spend much less time and expose yourself to much less risk simply setting your WMQ estate up in accordance with security best practice than you will trying to patch it up with an exit.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jul 01, 2011 9:23 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
To secure a queue manager using built-in facilities, you do the following thinigs:
- create a set of application-level ids on the qmgr box
- create a corresponding set of MQ setmqaut profiles to ensure that the relevant applications can only access the objects they need.
- create a set of SVRCONN channels for each application.
- Set the MCAUSER on each SVRCONN to the relevant application id
- set the MCAUSER on all other channels to an ID that does not exist
- create an SSL Cert for each application, with a DN that is tied to the application.
- set the SSLPEER on each SVRCONN to only match the DN for the application
- configure the applications to use SSL with their specific certificate.
No application can connect to the wrong channel. All applications are only allowed to access their own needed resources. All applications are fully identified by the SSL certificate.
You then merely have to have sufficient OS level security and operational security to ensure that the certificates aren't misused by other teams. |
|
| Back to top |
|
|
| joaquini |
| Posted: Tue Jul 05, 2011 8:57 am Post subject: |
|
|
Newbie
Joined: 01 Jul 2011
Posts: 9
|
thanks Vitor and MqJeff
I will investigate now about the terms I found in your instructions like
SSL (I have not implemented this feature)
BlockIP2
Security Best practices
DN
To implement security
I will leave the exit programs investigation
thanks again |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jul 05, 2011 9:19 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| joaquini wrote: |
| I will leave the exit programs investigation |
Good plan.
If you decide that the inbuilt faciltities identified above don't meet your requirements, you'd be well advised to recommence your exit program investigation with a pre-written solution such as Roger's before rolling your own. As your wheel may well not roll as well as his.
(Other products are available, no endorsement is intended of any product and no warranty express or implied is accepted for any loss or damage howsoever caused by any product selected as a result, etc, etc, blah, blah, blah)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| joaquini |
| Posted: Fri Aug 19, 2011 6:52 am Post subject: |
|
|
Newbie
Joined: 01 Jul 2011
Posts: 9
|
Hello team
Im testing the BlockIP but the security exit is rejecting all, even when I say in the SCYDATA all permitted, this is my envirionment and my results
dis chl(TO.CIMQSVCDEV1I)
16 : dis chl(TO.CIMQSVCDEV1I)
AMQ8414: Display Channel details.
CHANNEL(TO.CIMQSVCDEV1I) CHLTYPE(SVRCONN)
ALTDATE(2011-08-19) ALTTIME(10.37.46)
COMPHDR(NONE) COMPMSG(NONE)
DESCR(This is the channel security test)
HBINT(300) KAINT(AUTO)
MAXINST(999999999) MAXINSTC(999999999)
MAXMSGL(4194304) MCAUSER( )
MONCHL(QMGR) RCVDATA( )
RCVEXIT( ) SCYDATA(10.10.10.*; )
SCYEXIT(/var/mqm/exits64/BlockIP2(BlockExit))
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)
this is the exception I got from the client
Exception in thread "main" org.springframework.jms.UncategorizedJmsException: Uncategorized exception occured during JMS processing; nested exception is javax.jms.JMSException: MQJMS2005: failed to create MQQueueManager for '10.10.10.14:test'; nested exception is com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect
Closure reason = 2009
at org.springframework.jms.support.JmsUtils.convertJmsAccessException(JmsUtils.java:308)
at org.springframework.jms.support.JmsAccessor.convertJmsAccessException(JmsAccessor.java:168)
at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:474)
at org.springframework.jms.core.JmsTemplate.send(JmsTemplate.java:548)
at org.springframework.jms.core.JmsTemplate.send(JmsTemplate.java:534)
at com.ge.trans.b2brouter.JmsService.sendMessage(JmsService.java:41)
at com.ge.trans.b2brouter.SampleJMSClient.main(SampleJMSClient.java:30)
Caused by: javax.jms.JMSException: MQJMS2005: failed to create MQQueueManager for '10.10.10.14:test'
at com.ibm.mq.jms.services.ConfigEnvironment.newException(ConfigEnvironment.java:644)
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:2591)
at com.ibm.mq.jms.MQConnection.createQMNonXA(MQConnection.java:1936)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:161)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:222)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:125)
at com.ibm.mq.jms.MQQueueConnectionFactory.createConnection(MQQueueConnectionFactory.java:1058)
at org.springframework.jms.connection.SingleConnectionFactory.doCreateConnection(SingleConnectionFactory.java:343)
at org.springframework.jms.connection.SingleConnectionFactory.initConnection(SingleConnectionFactory.java:290)
at org.springframework.jms.connection.SingleConnectionFactory.createConnection(SingleConnectionFactory.java:227)
at org.springframework.jms.support.JmsAccessor.createConnection(JmsAccessor.java:184)
at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:461)
... 4 more
I did many convinations in the parameters SCYEXIT and SCYDATA, according the documentation in the BlockIP, and all is rejecting, when I leave in blank the parameter SCYEXIT I can put messages in my qlocal TEST
I have MQ v 7 fixpack 5, my SO is Linux Red Hat 5.4,
Please any advise is welcome |
|
| Back to top |
|
|
| joaquini |
| Posted: Mon Aug 22, 2011 7:10 am Post subject: |
|
|
Newbie
Joined: 01 Jul 2011
Posts: 9
|
Team
I fix the problem, let me paste the configuration of my channel
dis CHANNEL(TO.CIMQSVCDEV1I)
15 : dis CHANNEL(TO.CIMQSVCDEV1I)
AMQ8414: Display Channel details.
CHANNEL(TO.CIMQSVCDEV1I) CHLTYPE(SVRCONN)
ALTDATE(2011-08-22) ALTTIME(10.49.21)
COMPHDR(NONE) COMPMSG(NONE)
DESCR(This is the channel security test)
HBINT(300) KAINT(AUTO)
MAXINST(999999999) MAXINSTC(999999999)
MAXMSGL(4194304) MCAUSER( )
MONCHL(QMGR) RCVDATA( )
RCVEXIT( )
SCYDATA(FN=/var/mqm/exits/Blockspec.txt;)
SCYEXIT(/var/mqm/exits64/BlockIP2(BlockExit))
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)
Thanks a lot for you help,
Lets close this case |
|
| Back to top |
|
|
|
|
