The SSPI channel exit program on Windows
IBM MQ for Windows supplies a security exit program, which can be used on both message and MQI channels. The exit is supplied as source and object code, and provides one-way and two-way authentication.
The security exit uses the Security Support Provider Interface (SSPI), which provides the integrated security facilities of Windows platforms.
The security exit provides the following identification and authentication services:
- One way authentication
- This uses Windows NT LAN Manager (NTLM)
authentication support. NTLM allows servers to authenticate their clients. It does not allow a
client to authenticate a server, or one server to authenticate another. NTLM was designed for a
network environment in which servers are assumed to be genuine. NTLM is supported on all Windows platforms that are supported by IBM WebSphere MQ Version 7.0.
This service is typically used on an MQI channel to enable a server queue manager to authenticate an IBM MQ MQI client application. A client application is identified by the user ID associated with the process that is running.
To perform the authentication, the security exit at the client end of a channel acquires an authentication token from NTLM and sends the token in a security message to its partner at the other end of the channel. The partner security exit passes the token to NTLM, which checks that the token is authentic. If the partner security exit is not satisfied with the authenticity of the token, it instructs the MCA to close the channel.
- Two way, or mutual, authentication
- This uses Kerberos authentication services. The Kerberos protocol does not assume that servers
in a network environment are genuine. Servers can authenticate clients and other servers, and
clients can authenticate servers. Kerberos is supported on all Windows platforms that are supported by IBM WebSphere MQ Version 7.0.
This service can be used on both message and MQI channels. On a message channel, it provides mutual authentication of the two queue managers. On an MQI channel, it enables the server queue manager and the IBM MQ MQI client application to authenticate each other. A queue manager is identified by its name prefixed by the string ibmMQSeries/. A client application is identified by the user ID associated with the process that is running.
To perform the mutual authentication, the initiating security exit acquires an authentication token from the Kerberos security server and sends the token in a security message to its partner. The partner security exit passes the token to the Kerberos server, which checks that it is authentic. The Kerberos security server generates a second token, which the partner sends in a security message to the initiating security exit. The initiating security exit then asks the Kerberos server to check that the second token is authentic. During this exchange, if either security exit is not satisfied with the authenticity of the token sent by the other, it instructs the MCA to close the channel.
The security exit is supplied in both source and object format. We can use the source code as a starting point for writing your own channel exit programs or we can use the object module as supplied. The object module has two entry points, one for one way authentication using NTLM authentication support and the other for two way authentication using Kerberos authentication services.
For more information about how the SSPI channel exit program works, and for instructions on how to implement it, see Use the SSPI security exit on Windows systems.
Parent topic: Special considerations for security on Windows