Security exits

Use a security exit to control access to a target destination, as defined by the Destination route property. The security exit is called at the point when MQIPT receives a connection request from a client, but before it makes the connection to the target destination.

Based on the initial connection properties, the security exit decides whether the connection is allowed to complete.

When a route is started, the security exit is called in order to initialize and to make itself ready to process a connection request. The initialization process should be used to load any user data and prepare this data for quick and easy access, thereby minimizing the time taken to process a connection request.

Each route can have its own security exit.

  • The SecurityExit property is used to enable/disable the user-defined security exit.
  • The SecurityExitName property is used to define the class name of the user-defined security exit.
  • The SecurityExitPath property is used to define the directory name containing the class file. If this property is not set, then it is assumed the class file will be found in the exits subdirectory. The SecurityExitPath can also define the name of a JAR file containing the user-defined security exit.
  • The SecurityExitTimeout property is used by MQIPT to determine how long it should wait for a response from the security exit when validating a connection request.

See MQIPT route properties for details of the security exit properties.

MQIPT uses the SecurityExit class to call a user-defined security exit. This class must be extended by the user-defined security exit and most of its methods overridden to provide the functionality required. A SecurityExitResponse object is used to pass back data to MQIPT and this data is used by MQIPT to decide if the connection request should be accepted or rejected. The SecurityExitResponse object can also contain a new destination and destination port address, used to override the route defined by the security exit properties.

Three sample security exits are provided to show you how a security exit can be implemented.

  • SampleSecurityExit shows how to control access to an IBM MQ queue manager, based on the name of the IBM MQ channel. It allows only a connection with a channel name starting with the string "MQIPT." See Use a security exit for more information.
  • SampleRoutingExit allows dynamic routing of client connection requests to a pool of defined IBM MQ servers, each server hosting a queue manager of the same name and same attributes. The sample includes a configuration file that contains a list of server names. See Routing client connection requests to IBM MQ queue manager servers by using security exits for more information.
  • SampleOneRouteExit allows dynamic routing to an IBM MQ queue manager that is derived from the IBM MQ channel name used in the connection request. The sample includes a configuration file that contains a map of queue manager names to server names. See Dynamically routing client connection requests for more information.

Note: MQIPT runs in a single JVM so a user-defined security exit might jeopardize the normal operation of MQIPT in one of these ways:

  • Affect system resources
  • Generate bottlenecks
  • Degrade performance

We should test the effects of our security exit extensively before implementing it in a production environment.

Parent topic: Configure IBM MQ Internet Pass-Thru