The com.ibm.mq.ipt.exit.SecurityExit class

This class and its public methods must be extended by the user-defined security exit to get access to some common data and allow some MQIPT initialization to take place. Before each method is called by MQIPT, some properties will be made available for the method to use. Their values can be retrieved by using the appropriate get methods defined in this class.


Methods

    public int init(IPTTrace)
    The following properties are available:

    • listener port
    • destination
    • destination port
    • version

    The init method is called by MQIPT when a route is started. On return from this method the security exit must be ready to validate a connection request. Valid return codes are ExitRc.OK or ExitRc.INIT_ERROR.

    public int refresh(IPTTrace)
    The following properties are available:

    • listener port
    • destination
    • destination port

    The refresh method is called by MQIPT when the MQIPT configuration is refreshed. This action is usually performed when a property has been changed in the configuration file. MQIPT reloads all the properties from the configuration file to determine which properties have been changed and whether a route needs to be restarted.

    This method should perform a reload of any external data it uses; that is, data loaded by the init method. Valid return codes are ExitRc.OK or ExitRc.REFRESH_ERROR.

    public void close(IPTTrace)
    The following properties are available:

    • listener port
    • destination
    • destination port

    The close method is called by MQIPT when it is stopping. This method should free any system resources that the exit has acquired during its operation. MQIPT waits for this method to complete before shutting down.

    This method is also called if a security exit was previously enabled, but has now been disabled in the configuration file.

    public SecurityExitResponse validate(IPTTrace)
    The following properties are available:

    • listener port
    • destination
    • destination port
    • timeout
    • client IP address
    • client port address
    • channel name
    • queue manager name

    The validate method is called by MQIPT when it receives a connection request to validate. The channel name and queue manager name will not be available if the SSLProxyMode property has been enabled, as this feature is only used to tunnel TLS data and therefore the data usually obtained from the initial data flow is unreadable.

The security exit must return a SecurityExitResponse object, containing the following information:

  • reason code (must be set)
  • new destination address (optional)
  • new destination listener port address (optional)
  • message (optional)

The reason code determines if the connection is accepted or rejected by MQIPT. The newDestination and newDestinationPort fields can optionally be set to define a new target queue manager. If we do not set these properties, the route Destination and DestinationPort properties defined in the configuration file are used. Any message returned is appended to the connection log file entry.

The following methods are supported for obtaining the values of MQIPT configuration properties:

    public int getListenerPort()
    retrieves the route listener port - as defined by the ListenerPort property

    public String getDestination()
    retrieves the destination address - as defined by the Destination property

    public int getDestinationPort()
    retrieves the destination listener port address - as defined by the DestinationPort property

    public String getClientIPAddress()
    retrieves the IP address of the client making the connection request

    public int getClientPortAddress()
    retrieves the port address used by the client making the connection request

    public int getTimeout()
    retrieves the timeout value. MQIPT will wait for the security exit to validate a request - as defined by the SecurityExitTimeout property

    public int getConnThreadID()
    retrieves the connection thread ID handling the connection request, which is useful for debugging purposes

    public String getChannelName()
    retrieves the IBM MQ channel name used in the connection request

    public String getQMName()
    retrieves the IBM MQ queue manager name used in the connection request

    public boolean getTimedout()
    can be used by the security exit to determine if the timeout has expired

Parent topic: Security exits