Home

 

Use security exits on cluster channels

 

When a cluster-sender channel is first started, it uses attributes defined manually by a system administrator. When the channel is stopped and restarted, it picks up the attributes from the corresponding cluster-receiver channel definition. The original cluster-sender channel definition is overwritten with the new attributes, including the SecurityExit attribute. Note the following:

  1. You must define a security exit on both the cluster-sender end and the cluster-receiver end of a channel, in order for it to be effective. Even though the security exit name is sent over from the cluster-receiver definition, the initial connection must be made with a security-exit handshake.

  2. In addition to the normal security-message handshake, the security exit must validate the PartnerName in the MQCXP structure. The exit must allow the channel to start only if the partner queue manager is authorized.

  3. Design the security exit on the cluster-receiver definition to be receiver initiated. If you design it as sender initiated, an unauthorized queue manager without a security exit can join the cluster because no security checks are performed. Not until the channel is stopped and restarted can the SCYEXIT name be sent over from the cluster-receiver definition and full security checks made. Refer to the WebSphere MQ Intercommunications book for information about sender-initiated and receiver-initiated security exits.

  4. To view the cluster-sender channel definition that is currently in use, use the command: 
    DISPLAY CLUSQMGR(queue manager) ALL

    This displays the attributes that have been sent across from the cluster-receiver definition. To view the original definition, use the command: 

    DISPLAY CHANNEL(channel name) ALL

  5. If the queue managers are on different platforms, you might need to define a channel auto-definition exit (CHADEXIT) on the cluster-sender queue manager to set the SecurityExit attribute to an appropriate format for the target platform. For details of this, see Auto-definition of channels.

  6. On z/OS the security-exit load module must be in the data set specified in the CSQXLIB DD statement of the channel-initiator address-space procedure. On Windows the security-exit and channel auto-definition exit DLLs must be in the path specified in the SCYEXIT attribute of the channel definition or the CHADEXIT attribute of the queue manager definition respectively, or in the Registry.

 

Parent topic:

Preventing queue managers joining a cluster


qc11450_


 

Home