pw2readme

Readme for sample security exit programs

Websphere MQ Integrator 2.1 provides the capability for the user to write
two security exits programs to enable security for the MQ connection between the
Control Center and the configuration manager queue manager.
Details of this function are given in the Websphere MQ Integrator Administration Guide,
Chapter 6 Setting up Security, in the section Securing Control Center Connections
and it is recommended you read this section first.

Two sample exit programs have been provided here to give an example
of how the exit programs can be written to retrieve password information
from the Control Center user and verify this with the NT operating system.
The programs also give examples of:

sending and receiving data between exits, using the AgentBuffer
using the exit program's own data area, the ExitUserArea
setting the MCAUserIdentifier field

The two exit programs are:

pwQMSecExit.c - the queue manager exit program
pwCCSecExit.java - the Control Center exit program

The following table gives a brief overview of the exchanges between the two exit programs showing ExitResponses when
userid/password are successfully verified

Exit program at Control Center - pwCCSecExit.java Exit program at queue mananger - pwQMSecExit.c

Invoked with MQXR_INIT
Responds with MQXCC_OK Invoked with MQXR_INIT
Reponds with MQXCC_OK

Invoked with MQXR_INIT_SEC
(sends client userid in agent buffer)
Responds with MQXCC_SEND_AND_REQUEST_SEC_MSG

Invoked with MQXR_SEC_MSG
(Saves userid in ExitUserArea and sends confirmation message in agent buffer)
Responds with MQXCC_SEND_AND_REQUEST_SEC_MSG

Invoked with MQXR_SEC_MSG
(checks confirmation message matches expected message
and prompts user for password. Sends password in agent buffer)
Responds with MQXCC_SEND_SEC_MSG

Invoked with MQXR_SEC_MSG
(Queries NT to verify userid and password. If they are verified then checks MCAUserIdentifier field and if field not set exit will set MCAUserIdentifier to Control Center client userid )
Responds with MQXCC_OK(if userid/password verified)

Setup required to run these programs:

Set the machine or PDC name you will be using to verify users against in the pwQMSecExit.c program. In the program search for the array validSV and assign the name of your local machine or PDC to this variable. If you have the -d SecurityDomainName set for your configuration manager then use this name. If you change security domain at any time you will need to update and recompile this program.
Compile the queue manager exit program pwQMSecExit.c. Use the provided command file SecExit.cmd passing in the name of the exit program. (you will need to set the MQSeries product tools\c\include directory in your INCLUDE path first). For example from the command line enter: SecExit pwQMSecExit.
Compile the Control Center exit program, pwCCSecExit.java, in the product Tools directory (you will need the MQSeries jar file com.ibm.mq.jar in your CLASSPATH first). For example from the command line enter: javac pwCCSecExit.java
Set the Control Center channel parameter SCYEXIT to the name of the queue manager exit program. So if the exit program was in directory d:\test1 then, using runmqsc to start MQSC Commands for the configuration manager queue manager, enter the following command at the MQSC Commands command prompt: alter channel(SYSTEM.BKR.CONFIG) CHLTYPE(SVRCONN) SCYEXIT('d:\test1\pwQMSecExit(CHANNELEXIT)')
Because the pwQMSecExit program calls the NT LogonUser call to verify the userid and password you must ensure the listener for the Control Center is started by a user which has the NT priviledge 'Act as part of the Operating System'. You should ensure that the userid which is starting the listener has this priviledge set - you can check this by going to User Manager->Policies->User Rights->select Advanced on User Rights Policy pane->select Act as part of the Operating System.
Start the configuration manager and ensure the listener is running
From the product Tool directory enter mqsilccsec pwCCSecExit. When prompted for a password type your password and then hit enter.

Additional Notes:

Note: In this sample the password is sent from the Control Center exit program to the Queue Manager exit program
in the agent buffer in the clear. For additional security you should encrypt the password before sending it in the agent buffer

Note: Both programs issue error messages for debug purposes:

for pwCCSecExit these are visible if the mqsilccsec.bat file is started with the trace level set to 2.
for pwQMSecExit these are visible if the listener is run using the command runmqlsr.

Exit program at Control Center - pwCCSecExit.java	Exit program at queue mananger - pwQMSecExit.c
Invoked with MQXR_INIT Responds with MQXCC_OK	Invoked with MQXR_INIT Reponds with MQXCC_OK
Invoked with MQXR_INIT_SEC (sends client userid in agent buffer) Responds with MQXCC_SEND_AND_REQUEST_SEC_MSG
	Invoked with MQXR_SEC_MSG (Saves userid in ExitUserArea and sends confirmation message in agent buffer) Responds with MQXCC_SEND_AND_REQUEST_SEC_MSG
Invoked with MQXR_SEC_MSG (checks confirmation message matches expected message and prompts user for password. Sends password in agent buffer) Responds with MQXCC_SEND_SEC_MSG
	Invoked with MQXR_SEC_MSG (Queries NT to verify userid and password. If they are verified then checks MCAUserIdentifier field and if field not set exit will set MCAUserIdentifier to Control Center client userid ) Responds with MQXCC_OK(if userid/password verified)