WebSphere MQ for Windows(R) supplies a security exit, which can be used on both message and MQI channels. The security exit uses the Security Support Provider Interface (SSPI), which provides the integrated security facilities of Windows platforms.
The security exit provides the following identification and authentication services:
This service is typically used on an MQI channel to enable a server queue manager to authenticate a WebSphere MQ client application. A client application is identified by the user ID associated with the process that is running.
To perform the authentication, the security exit at the client end of a channel acquires an authentication token from NTLM and sends the token in a security message to its partner at the other end of the channel. The partner security exit passes the token to NTLM, which checks that the token is authentic. If the partner security exit is not satisfied with the authenticity of the token, it instructs the MCA to close the channel.
This service can be used on both message and MQI channels. On a message channel, it provides mutual authentication of the two queue managers. On an MQI channel, it enables the server queue manager and the WebSphere MQ client application to authenticate each other. A queue manager is identified by its name prefixed by the string ibmMQSeries/. A client application is identified by the user ID associated with the process that is running.
To perform the mutual authentication, the initiating security exit acquires an authentication token from the Kerberos security server and sends the token in a security message to its partner. The partner security exit passes the token to the Kerberos server, which checks that it is authentic. The Kerberos security server generates a second token, which the partner sends in a security message to the initiating security exit. The initiating security exit then asks the Kerberos server to check that the second token is authentic. During this exchange, if either security exit is not satisfied with the authenticity of the token sent by the other, it instructs the MCA to close the channel.
The security exit is supplied in both source and object format. You can use the source code as a starting point for writing your own channel exit programs or you can use the object module as supplied. The object module has two entry points, one for one way authentication using NTLM authentication support and the other for two way authentication using Kerberos authentication services.
For more information about how the SSPI channel exit program works, and for instructions on how to implement it, see the WebSphere MQ Application Programming Guide.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
ls1sspiexit |