Using the SSPI security exit on Windows systems

This section describes how to use the SSPI channel-exit programs on Windows systems. The supplied exit code is in two formats: object and source.

Object code

The object code file is called amqrspin.dll. For both client and server, it is installed as a standard part of WebSphere MQ for Windows in the exits folder, and is loaded as a standard user exit. You can run the supplied security channel exit and use authentication services in your definition of the channel.

To do this, specify either of the following:

SCYEXIT('amqrspin(SCY_KERBEROS)')
 
SCYEXIT('amqrspin(SCY_NTLM)')

To provide support for a restricted channel, specify the following on the SRVCONN channel:

SCYDATA('remote_principal_name')

where remote_principal_name is in the form DOMAIN\user. The secure channel is established only if the name of the remote principal matches remote_principal_name.

To use the supplied channel-exit programs between systems that operate within a Kerberos security domain, you must create a servicePrincipalName for the queue manager.

Source code

The exit source code file is called amqsspin.c. It is in C:\Program Files\IBM\WebSphere MQ\Tools\c\Samples.

If you modify the source code, you must recompile the modified source.

You compile and link it in the same way as any other channel exit for the relevant platform, except that SSPI headers need to be accessed at compile time, and the SSPI security libraries, together with any recommended associated libraries, need to be accessed at link time.

Before you execute the following command please make sure that cl.exe, and the Visual C++ library and the include folder are available in your path. For example:

cl /VERBOSE /LD /MT /I<path_to_Microsoft_platform_SDK\include> 
/I<path_to_WebSphere MQ\tools\c\include> amqsspin.c /DSECURITY_WIN32 
-link  /DLL /EXPORT:SCY_KERBEROS /EXPORT:SCY_NTLM STACK:8192
Note:
The source code does not include any provision for tracing or error handling. If you choose to modify and use the source code, you should add your own tracing and error-handling routines.


© IBM Corporation 1993, 2002. All Rights Reserved