+

Search Tips | Advanced Search

SSPI security exit

IBM MQ for Windows supplies a security exit for both the IBM MQ MQI client and the IBM MQ server. This is a channel-exit program that provides authentication for IBM MQ channels by using the Security Services Programming Interface (SSPI). The SSPI provides the integrated security facilities of Windows systems.

The security packages are loaded from either security.dll or secur32.dll. These DLLs are supplied with your operating system.

One-way authentication is provided using NTLM authentication services. Two-way authentication is provided using Kerberos authentication services.

The security exit program is supplied in source and object format. We can use the object code as it is, or we can use the source code as a starting point to create your own user-exit programs.

See also Use the SSPI security exit on Windows.


Introduction to security exits

A security exit forms a secure connection between two security exit programs, where one program is for the sending message channel agent (MCA), and one is for the receiving MCA.

The program that initiates the secure connection, that is, the first program to get control after the MCA session is established, is known as the context initiator. The partner program is known as the context acceptor.

The following table shows some of the channel types that are context initiators and their associated context acceptors.

Table 1. Context initiators and their associated context acceptors
Context Initiator Context Acceptor
MQCHT_CLNTCONN MQCHT_SVRCONN
MQCHT_RECEIVER MQCHT_SENDER
MQCHT_CLUSRCVR MQCHT_CLUSSDR
The security exit program has two entry points:


What the security exit does

This topic describes what the SSPI channel-exit programs do.

The supplied channel-exit programs provide either one-way or two-way (mutual) authentication of a partner system when a session is being established. For a particular channel, each exit program has an associated principal (similar to a user ID, see IBM MQ access control and Windows principals ). A connection between two exit programs is an association between the two principals.

After the underlying session is established, a secure connection between two security exit programs (one for the sending MCA and one for the receiving MCA), is established. The sequence of operations is as follows:
  1. Each program is associated with a particular principal, for example as a result of an explicit login operation.
  2. The context initiator requests a secure connection with the partner from the security package (for Kerberos, the named partner) and receives a token (called token1). The token is sent, using the underlying session that is already established, to the partner program.
  3. The partner program (the context acceptor) passes token1 to the security package, which verifies that the context initiator is authentic. For NTLM, the connection is now established.
  4. For the Kerberos-supplied security exit (that is, for mutual authentication), the security package also generates a second token (called token2), which the context acceptor returns to the context initiator by using the underlying session.
  5. The context initiator uses token2 to verify that the context acceptor is authentic.
  6. At this stage, if both applications are satisfied with the authenticity of the partner's token, the secure (authenticated) connection is established.


IBM MQ access control and Windows principals

The access control that IBM MQ provides is based on the user and group. The authentication that Windows provides is based on principals, such as user and servicePrincipalName (SPN). In the case of servicePrincipalName, there might be many of these associated with a single user.

The SSPI security exit uses the relevant Windows principals for authentication. If Windows authentication is successful, the exit passes the user ID that is associated with the Windows principal to IBM MQ for access control.

The Windows principals that are relevant for authentication vary, depending on the type of authentication used.