Use a security exit

In this scenario, we can use a supplied sample security exit, called SampleSecurityExit, so that only client connections that use a channel name starting with the characters MQIPT. are allowed.


Before starting

  • Before you start to use this scenario, make sure that we have completed the prerequisite tasks listed in Getting started with IBM MQ Internet Pass-Thru.
  • Install JavaJava 8.0 JDK.
  • Add the Java bin subdirectory to the PATH environment variable.


The sample exit used in this scenario is SampleSecurityExit.java. It is provided with MQIPT in the samples/exits subdirectory of the MQIPT installation directory.

If we use the suggested server connection channel name of MQIPT.CONN.CHANNEL (as used in most of these scenarios), the client connection will be allowed to complete and an IBM MQ message can be placed on the queue.

To demonstrate that the security exit is working as expected, define another server connection channel with any name that does not start with the characters MQIPT. (for example, TEST.CONN.CHANNEL) and try the amqsputc command again, but having changed the MQSERVER environment variable to use the new channel name. This time the connection will be refused and a 2059 (MQRC_Q_MGR_NOT_AVAILABLE) error will be returned.

Figure 1. Security exit network diagram

This diagram shows the connection flow from the IBM MQ client (called client1.company1.com on port 1415) through MQIPT to the IBM MQ server (called server1.company2.com on port 1414).


Procedure

To use a security exit, complete the following steps:

  1. On the MQIPT computer:
    1. Create a directory called exits in the MQIPT home directory by issuing the following command in a command prompt:
      md C:\mqiptHome\exits
    2. Enter the following commands to compile the exit. You do not have to do this if you have not changed the exit code as the compiled sample exit is supplied with MQIPT.
      C:
      cd \mqipt\samples\exits
      javac -classpath C:\mqipt\lib\com.ibm.mq.ipt.jar;. SampleSecurityExit.java
    3. Enter the following command to copy the compiled exit class file SampleSecurityExit.class to the C:\mqiptHome\exits directory:
      copy C:\mqipt\samples\exits\SampleSecurityExit.class C:\mqiptHome\exits
    4. Edit mqipt.conf and add a route definition:
      [route]
      ListenerPort=1415
      Destination=server1.company2.com
      DestinationPort=1414
      SecurityExit=true
      SecurityExitName=SampleSecurityExit
    5. Open a command prompt and start MQIPT:
      C:\mqipt\bin\mqipt C:\mqiptHome -n ipt1
      where C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf, and ipt1 is the name to be given to the instance of MQIPT. The following messages indicate that MQIPT has started successfully:
      5724-H72 (C) Copyright IBM Corp. 2000, 2020 All Rights Reserved
      MQCPI001 IBM MQ Internet Pass-Thru V9.2.0.0 starting
      MQCPI004 Reading configuration information from mqipt.conf
      MQCPI152 MQIPT name is ipt1
      MQCPI021 Password checking has been enabled on the command port
      MQCPI011 The path C:\mqiptHome\logs will be used to store the log files
      MQCPI006 Route 1415 has started and will forward messages to :
      MQCPI034 ....server1.company2.com(1414)
      MQCPI035 ....using MQ protocol
      MQCPI079 ....using security exit C:\mqiptHome\exits\SampleSecurityExit
      MQCPI080 ......and timeout of 30 seconds
      MQCPI078 Route 1415 ready for connection requests

  2. At a command prompt on the IBM MQ client system, enter the following commands:
    1. Set the MQSERVER environment variable:
      SET MQSERVER=MQIPT.CONN.CHANNEL/tcp/10.9.1.2(1415)
    2. Put a message:
      amqsputc MQIPT.LOCAL.QUEUE MQIPT.QM1
      Hello world
      Press Enter twice after typing the message string.
    3. Get the message:
      amqsgetc MQIPT.LOCAL.QUEUE MQIPT.QM1
      The message, "Hello world" is returned.

Parent topic: Getting started with IBM MQ Internet Pass-Thru