WebSphere MQ for Windows supplies a security exit for both the WebSphere MQ client and the WebSphere MQ server. This is a channel-exit program that provides authentication for WebSphere MQ channels by using the Security Services Programming Interface (SSPI). The SSPI provides the integrated security facilities of Windows NT and Windows 2000.
The security packages are loaded from either security.dll or secur32.dll. These DLLs are supplied with your operating system.
One-way authentication is provided on both Windows NT and Windows 2000, using NTLM authentication services. Two way authentication is provided on Windows 2000, using Kerberos authentication services.
The security exit program is supplied in source and object format. You can use the object code as it is, or you can use the source code as a starting point to create your own user-exit programs.
See also Using the SSPI security exit on Windows systems.
A security exit forms a secure connection between two security exit programs, where one program is for the sending message channel agent (MCA), and one is for the receiving MCA. The program that initiates the secure connection, that is, the first program to get control after the MCA session is established, is known as the context initiator. The partner program is known as the context acceptor.
The following table shows some of the channel types that are context
initiators and their associated context acceptors.
Table 29. Context initiators and their associated context acceptors
Context Initiator | Context Acceptor |
---|---|
MQCHT_CLNTCONN | MQCHT_SVRCONN |
MQCHT_RECEIVER | MQCHT_SENDER |
MQCHT_CLUSRCVR | MQCHT_CLUSSDR |
The security exit program has two entry points:
This uses NTLM authentication services, which provide one-way authentication. NTLM allows servers to verify the identities of their clients. It does not allow clients to verify a server's identity, or one server to verify the identity of another. NTLM authentication was designed for a network environment in which servers are assumed to be genuine. NTLM is supported in Windows NT and Windows 2000.
This uses Kerberos mutual authentication services. The Kerberos protocol does not assume that servers in a network environment are genuine. Parties at both ends of a network connection can verify the identity of the other party. That is, servers can verify the identity of clients and other servers, and clients can verify the identity of a server. Kerberos is supported only in Windows 2000.
This section describes what the SSPI channel-exit programs do.
The supplied channel-exit programs provide either one-way or two-way (mutual) authentication of a partner system when a session is being established. For a particular channel, each exit program has an associated principal (similar to a user ID, see WebSphere MQ access control and Windows principals). A connection between two exit programs is an association between the two principals.
After the underlying session is established, a secure connection between two security exit programs (one for the sending MCA and one for the receiving MCA), is established. The sequence of operations is as follows:
The access control that WebSphere MQ provides is based on the user and group. The authentication that Windows provides is based on principals, such as user and servicePrincipalName (SPN). In the case of servicePrincipalName, there may be many of these associated with a single user.
The SSPI security exit uses the relevant Windows principals for authentication. If Windows authentication is successful, the exit passes the userid that is associated with the Windows principal to MQSeries for access control.
The Windows principals that are relevant for authentication vary, depending on the type of authentication used.
ibmMQSeries/