ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Setting up SSPI for MQ Server/Client connection.

Post new topic  Reply to topic
 Setting up SSPI for MQ Server/Client connection. « View previous topic :: View next topic » 
Author Message
Ross
PostPosted: Wed May 03, 2017 2:16 pm    Post subject: Setting up SSPI for MQ Server/Client connection. Reply with quote

Centurion

Joined: 15 Jun 2005
Posts: 127
Location: Ireland

Hi all.

I am hoping that some of you may have implemented SSPI exit in a similar manner to this, or provide an expert view. Any suggestions greatly appreciated. Thanks.

Background…
Looking to pass Windows Active Directory credentials across an MQ Client SVRCONN channel to MQ Server, so that MQ OAM can be used at Qmgr and Queue level.
SSL is already on the channel for encryption.
MQ Client Version 8.0.0.3
MQ Client Version 8.0.0.5
Client connection using CCDT – Client Channel Table.
Selected method is SSPI with NTLM.

SSPI Security Exit – amqrspin - Implemented as follows…
On Server:
Set Security Exit Name (SCYEXIT) on SVRCONN channel to ‘amqrspin(SCY_NTLM)’
Copy amqrspin.dll from C:\IBM\WebSphere MQ\bin64 to D:\IBM\MQ\exits64\Installation1 => This matches qm.ini location, although instance isn’t specified there.
Set Security Exit Name (SCYEXIT) on CLNTCONN channel to ‘amqrspin(SCY_NTLM)’ => This step is to update the CCDT (AMQCLCHL.TAB)

On Client:
Copy AMQCLCHL.TAB created above to Client workstation to replace existing one.
Copy amqrspin.dll from C:\IBM\WebSphere MQ\bin64 to C:\ProgramData\IBM\MQ\exits64\Installation1 => This matches mqclient.ini location, although instance isn’t specified there.

Results…
The first error was that the exit wasn’t in the correct location, stating that the client was running
AMQ6174: The library 'C:\ProgramData\IBM\MQ\exits\amqrspin.dll' was not found.
EXPLANATION:
The dynamically loadable library 'C:\ProgramData\IBM\MQ\exits\amqrspin.dll' was not found. Possible reasons for the error:
(a) Library is not present in the specified path.
(b) Library is present but the architecture of the library does not match the process's architecture which is '32' bit.
(c) Library is present but it has a dependency on other libraries which are not present in the same directory.

It was surprising that the error indicates that the client is 32 bit, but dspmqver confirms mode is 64-bit.
Following the error, we copied a 32 bit amqrspin.dll from another PC to C:\ProgramData\IBM\MQ\exits\Installation1 on client. This resolved this error.

Now we are getting the following error when testing our application. (The application was working before this work).
----- amqccita.c : 1209 -------------------------------------------------------
5/3/2017 23:00:26 - Process(8736.2) User(c970605) Program(iban.exe)
Host(WIN-OH1H0FEO9VI) Installation(Installation1)
VRMF(8.0.0.3)
AMQ9208: Error on receive from host ip-192-168-68-166 (192.168.68.166)(1414).

EXPLANATION:
An error occurred receiving data from ip-192-168-68-166 (192.168.68.166)(1414)
over TCP/IP. This may be due to a communications failure.
ACTION:
The return code from the TCP/IP recv() call was 10054 (X'2746'). Record these
values and tell the systems administrator.
----- amqccita.c : 4076 -------------------------------------------------------
5/3/2017 23:00:26 - Process(8736.1) User(c970605) Program(iban.exe)
Host(WIN-OH1H0FEO9VI) Installation(Installation1)
VRMF(8.0.0.3)
AMQ9213: A communications error for occurred.

EXPLANATION:
An unexpected error occurred in communications.
ACTION:
The return code from the call was 0 (X'0'). Record these values and tell the
systems administrator.
----- amqrcafa.c : 2214 -------------------------------------------------------

All the channels also end unexpectedly!!!!
And the below FDC is produced.

I’m wondering is there anything I’m missing in the setup. I know that SCYDATA(‘domain\user’) is an option, but I want to pass through different users own IDs, so don’t believe this is necessary. I may be mistaken!!

Any help appreciated!

Cheers,
Ross.

Code:
+-----------------------------------------------------------------------------+
|                                                                             |
| WebSphere MQ First Failure Symptom Report                                   |
| =========================================                                   |
|                                                                             |
| Date/Time         :- Wed May 03 2017 22:00:23 GMT Standard Time             |
| UTC Time          :- 1493848823.528000                                      |
| UTC Time Offset   :- 60 (GMT Daylight Time)                                 |
| Host Name         :- ADS000167                                              |
| Operating System  :- Windows Server 2012 R2 Server Standard Edition, Build  |
|   9200                                                                      |
| PIDS              :- 5724H7251                                              |
| LVLS              :- 8.0.0.5                                                |
| Product Long Name :- WebSphere MQ for Windows (x64 platform)                |
| Vendor            :- IBM                                                    |
| O/S Registered    :- 1                                                      |
| Data Path         :- D:\IBM\MQ                                              |
| Installation Path :- C:\IBM\WebSphere MQ                                    |
| Installation Name :- Installation1    (1)                                   |
| License Type      :- Production                                             |
| Probe Id          :- XC130031                                               |
| Application Name  :- MQM                                                    |
| Component         :- xehExceptionHandler                                    |
| SCCS Info         :- F:\build\slot1\p800_P\src\lib\cs\pc\winnt\amqxerrn.c,  |
| Line Number       :- 767                                                    |
| Build Date        :- May 16 2016                                            |
| Build Level       :- p800-005-160516.2                                      |
| Build Type        :- IKAP - (Production)                                    |
| UserID            :- svcacc_ads_mq                                          |
| Process Name      :- C:\IBM\WebSphere MQ\bin64\amqrmppa.exe                 |
| Arguments         :- -m BRQS2BNSC2                                          |
| Addressing mode   :- 64-bit                                                 |
| Process           :- 00004108                                               |
| Thread            :- 00000003    RemoteResponder                            |
| Session           :- 00000000                                               |
| QueueManager      :- BRQS2BNSC2                                             |
| UserApp           :- FALSE                                                  |
| ConnId(1) IPCC    :- 147                                                    |
| ConnId(3) QM-P    :- 139                                                    |
| Last HQC          :- 1.6.6-221312                                           |
| Last HSHMEMB      :- 0.0.0-0                                                |
| Last ObjectName   :-                                                        |
| Major Errorcode   :- xecF_E_UNEXPECTED_SYSTEM_RC                            |
| Minor Errorcode   :- OK                                                     |
| Probe Type        :- MSGAMQ6119                                             |
| Probe Severity    :- 2                                                      |
| Probe Description :- AMQ6109: An internal WebSphere MQ error has occurred.  |
| FDCSequenceNumber :- 0                                                      |
| Comment1          :- Access Violation at address FFFFFFFFFFFFFFFF when      |
|   reading                                                                   |
|                                                                             |
+-----------------------------------------------------------------------------+
---> Stack dump for the faulting thread (0xFDC) <---
Stack Backtrace:
 # ChildEBP         RetAddr           Param#1          Param#2          Param#3          Param#4           Fn-Loc'n         : Module!Function+Offset [File Name # Line+Offset @ Address]
00 00000095929FD900 00007FFBE0621849 (00000095929FDAA0 00007FFBE0625AE0 000000959193CB30 0000000000000000) 00007FFBE0623341 : amqrspin!processSecurityMessage+0xc1<NLN:487>
01 00000095929FD970 00007FFBE06215E5 (00000095929FDAA0 000000959193CB30 00000095929FDA34 0000000000000000) 00007FFBE0621849 : amqrspin!SSPI+0x1e9<NLN:487>
02 00000095929FD9C0 00007FFBDCED71CB (0000009591916D78 00000095929FDAD0 0000009591915CD0 0000000000000061) 00007FFBE06215E5 : amqrspin!SCY_NTLM+0xc5<NLN:487>
03 00000095929FDCC0 00007FFBDCF46A57 (0000009500000002 0000009591916D58 00000095929FEF58 0000000000000352) 00007FFBDCED71CB : amqrdlla!rriAcceptSecurityReceive+0xc2b<NLN:487>
04 00000095929FEF30 00007FFBDCF485ED (00000095918EF780 0000009500000000 0000009591916D58 0000009591916D58) 00007FFBDCF46A57 : amqrdlla!rriMQIServerCall+0x78f7<NLN:487>
05 00000095929FF080 00007FFBDCFF01FE (00000095918EF702 0000000000000000 0000009591916D58 00000095929F01B5) 00007FFBDCF485ED : amqrdlla!rriMQIServerReceive+0xc1d<NLN:487>
06 00000095929FF1A0 00007FFBDCFE38F9 (0000009591916D58 00000095919414B0 0000000000000000 0000009591916D58) 00007FFBDCFF01FE : amqrdlla!rriServerAsyncRcv+0x5be<NLN:487>
07 00000095929FF230 00007FFBDCFE5E36 (0000000000000000 00000095918EFFF0 00000095919414B0 00000095918ED3F0) 00007FFBDCFE38F9 : amqrdlla!cciProcessAsyncRcv+0x1b9<NLN:487>
08 00000095929FF270 00007FFBDCFE55FD (00000095919414B0 00000095929FF380 0000000000000000 0000009591916D50) 00007FFBDCFE5E36 : amqrdlla!cciProcessUserData+0x186<NLN:487>
09 00000095929FF510 00007FFBDCFEA2F1 (0000000000000061 0000009500000000 00000095929FF330 0000000000000000) 00007FFBDCFE55FD : amqrdlla!cciProcessOne+0x13ad<NLN:487>
0A 00000095929FF540 00007FFBDCF32432 (0000000000000000 00000095918EFFF0 0000000000000000 0000009500000000) 00007FFBDCFEA2F1 : amqrdlla!ccxReceiveThreadFn+0x151<NLN:487>
0B 00000095929FFC20 00007FFBDCF8C09C (0000009500000000 0000009500000002 00000095918EF780 0000000000000000) 00007FFBDCF32432 : amqrdlla!rrxResponder+0x272<NLN:487>
0C 00000095929FFC90 00007FFBDCF8823F (00000095918ED3F0 000000959190DC00 0000000000000246 00000095918EFFF0) 00007FFBDCF8C09C : amqrdlla!ccxResponder+0x21c<NLN:487>
0D 00000095929FFCF0 00007FFBE1F24789 (00000095918EF780 00000095918ED3F0 00000095918CEAD0 00000095918CEAD0) 00007FFBDCF8823F : amqrdlla!cciResponderThread+0x11f<NLN:487>
0E 00000095929FFE40 00007FFBE1D63FEF (0000000000000000 00000095918EEA40 00000095918EEEC0 0000000000000000) 00007FFBE1F24789 : amqxcs2!ThreadMain+0x2c9<NLN:487>
0F 00000095929FFE70 00007FFBE1D64196 (00007FFBE1E01DB0 0000000000000000 0000000000000000 0000000000000000) 00007FFBE1D63FEF : MSVCR110!beginthreadex+0x107<NLN:487>
10 00000095929FFEA0 00007FFBE93913D2 (00007FFBE1D64094 00000095918EEA40 0000000000000000 0000000000000000) 00007FFBE1D64196 : MSVCR110!endthreadex+0x192<NLN:487>
11 00000095929FFED0 00007FFBEB2F54E4 (00007FFBE93913B0 0000000000000000 0000000000000000 0000000000000000) 00007FFBE93913D2 : KERNEL32!BaseThreadInitThunk+0x22<NLN:487>
12 00000095929FFF20 0000000000000000 (0000000000000000 0000000000000000 0000000000000000 0000000000000000) 00007FFBEB2F54E4 : ntdll!RtlUserThreadStart+0x34<NLN:487>
Back to top
View user's profile Send private message
exerk
PostPosted: Wed May 03, 2017 2:50 pm    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Moved to a more appropriate forum.

There are a few hits on Google for that Probe Id so it may be worth looking to see whether any are relevant to you.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed May 03, 2017 10:53 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

Seems way too complicated to me...
Why not use the AD as an LDAP reachable with SSL to authenticate the MQ client? Or if it is an all Windows installation, just the Windows native authentication (OS)?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Ross
PostPosted: Thu May 04, 2017 12:10 am    Post subject: Reply with quote

Centurion

Joined: 15 Jun 2005
Posts: 127
Location: Ireland

Thanks Exerk. I'll try that.
Fjb_saper, Would you mind elaborating?
The user is authenticated onto their PC with AD. We want to pass that credential into MQ Client and over to the server, although we don't want to leave the MCA User unsecured (blank).
Authenticating by SSL isn't really an option as individual certs per user isn't practical.
Thanks,
Ross.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu May 04, 2017 1:10 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

Ross wrote:
Thanks Exerk. I'll try that.
Fjb_saper, Would you mind elaborating?
The user is authenticated onto their PC with AD. We want to pass that credential into MQ Client and over to the server, although we don't want to leave the MCA User unsecured (blank).
Authenticating by SSL isn't really an option as individual certs per user isn't practical.
Thanks,
Ross.


Set up your AUTHINFO to authenticate appropriately (OS vs LDAP) Use Adopt MCA YES...
If need be use the mqccred client exit for username and password.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Setting up SSPI for MQ Server/Client connection.
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.