MQ

  • 1.  Stop Apps from using older version of MQ Client

    IBM Select
    Posted Thu September 23, 2021 12:36 PM
    Is there a way to prevent an application using MQ 7/8/9.0 client jars from connecting to Queue Manager.
    Not interested in writing/using security exits at the channel.

    Or is there a subscription topic string we can collect and scan thru? Using $SYS/... option?

    Currently, we collect channel status and get the MQ Client version, but this is a poll and we are missing data collection.

    ------------------------------
    om prakash
    WI
    ------------------------------


  • 2.  RE: Stop Apps from using older version of MQ Client

    Posted Fri September 24, 2021 07:01 PM
    Edited by Roger Lacroix Fri September 24, 2021 07:02 PM
    Hi,

    <Vendor_Plug>

    You could have a look at Capitalware's MQ Channel Connection Inspector (MQCCI). MQCCI is designed to provide the MQAdmin with any or all of the fields of the MQCD and MQCXP structures from a client connection to a queue manager in a "human readable" format.  In particular, MQCCI will output RemoteProduct and RemoteVersion fields which are what you are looking for.

    Example MQCCI output written to a CSV file:
    2021/09/24 18:49:43.675307, CONN, Tag=2HSQpOrnmilh8nwF, CD_QMgrName=MQWT1, CD_ChannelName=TEST.EXIT.CHL, CD_ConnectionName=10.10.10.10, CD_ShortConnectionName=10.10.10.10, CD_MaxMsgLength=4194304, CD_PutAuthority=MQPA_DEFAULT, CD_MCAUserIdentifier=roger, CD_RemoteUserIdentifier=roger, CD_RemotePassword_Length=0, CD_SSLCipherSpec=, CD_SSLClientAuth=MQSCA_REQUIRED, CD_CertificateLabel=, CXP_PartnerName=roger, CXP_SSLCertUserid=, CXP_SecurityParms_AuthenticationType=MQCSP_AUTH_USER_ID_AND_PWD, CXP_SecurityParms_UserId=roger, CXP_SecurityParms_Password_Length=8, CXP_SharingConversations=TRUE, CXP_MCAUserSource=MQUSRC_MAP, CXP_RemoteProduct=MQJB, CXP_RemoteVersion=0901,
    2021/09/24 18:49:46.044185, DISC, Tag=2HSQpOrnmilh8nwF, CD_QMgrName=MQWT1, CD_ChannelName=TEST.EXIT.CHL, CD_ConnectionName=10.10.10.10,

    Note: The above example is 2 very long lines.

    Or the user can select "Pure CSV" then the output will look like:
    "Date Time", "Connection Type", "Tag", "CD_QMgrName", "CD_ChannelName", "CD_ConnectionName", "CD_ShortConnectionName", "CD_MaxMsgLength", "CD_PutAuthority", "CD_MCAUserIdentifier", "CD_RemoteUserIdentifier", "CD_RemotePassword_Length", "CD_SSLCipherSpec", "CD_SSLClientAuth", "CD_CertificateLabel", "CXP_PartnerName", "CXP_SSLCertUserid", "CXP_SecurityParms_AuthenticationType", "CXP_SecurityParms_UserId", "CXP_SecurityParms_Password_Length", "CXP_SharingConversations", "CXP_MCAUserSource", "CXP_RemoteProduct", "CXP_RemoteVersion",
    2021/09/24 18:50:10.705293, "CONN", "nk6KlZ3jgc6MUsCP", "MQWT1", "TEST.EXIT.CHL", "10.10.10.10", "10.10.10.10", 4194304, "MQPA_DEFAULT", "roger", "roger", 0, "", "MQSCA_REQUIRED", "", "roger", "", "MQCSP_AUTH_USER_ID_AND_PWD", "roger", 8, "TRUE", "MQUSRC_MAP", "MQJB", "0901",
    2021/09/24 18:50:10.725120, "DISC", "nk6KlZ3jgc6MUsCP", "MQWT1", "TEST.EXIT.CHL", "10.10.10.10",

    Note: This example is 3 very long lines.

    Hence, you do not need to poll anything.  As client applications connect to the queue manager, MQCCI will output the information to a CSV file.  Hence, nothing will be missed.

    Generally speaking, companies like it because it provides an audit/security trail of what client applications are connecting to a queue manager.

    </Vendor_Plug>
     
    later
    Roger

    ------------------------------
    Roger Lacroix
    CTO
    Capitalware Inc.
    London ON
    226-980-7307
    ------------------------------



  • 3.  RE: Stop Apps from using older version of MQ Client

    Posted Thu October 14, 2021 06:13 AM

    This is also an issue in our company / infrastructure.
    We have bunch of different client types and versions.
    I agree that exits are no solution, think about appliances.

    In my opinion IBM needs to create some CHLAUTH commands for preventing those connections.
    And this requires an RfE...



    ------------------------------
    Norbert Pfister
    system engineer
    Nuremberg
    Germany
    ------------------------------



  • 4.  RE: Stop Apps from using older version of MQ Client

    Posted Fri October 15, 2021 01:32 PM
    Hi Norbert,

    > I agree that exits are no solution, think about appliances.

    Personally, I think an exit is exactly what the solution calls for since I seriously doubt IBM will ever add that feature.

    For more than 5 years, I have begged, pleaded and talked the ear off anyone from IBM MQ UK Labs about adding an App Store for the MQ Appliance but management has the basic reply of "customers are not asking for it".  It is such a lame answer.  I get asked every couple of months by customers if product "XYZ" will work on an MQ Appliance, so I know there is demand!!   It sucks because I have to keep saying no. 

    IBM already includes other IBM software (other than MQ) for the MQ Appliance.  What is wrong with following the pattern that Apple and Google set for their App Stores?  Charge 3rd party vendors, aka developers, a nominal fee, i.e. $100, and provide a portal to submit the applications (aka exits).  The software would then be included in the next MQ appliance build and the end-users can select what software they want to use.  Licensing would be handled by the vendor and not IBM.

    The weird part of this is that when companies are using an exit (Capitalware or someone else) and use a mix of MQ on their own servers and MQ Appliances, then it forces customers to have 2 totally different ways of handling the solutions they are implementing.  And most of the time, there is no solution for the MQ Appliance, hence, they use the MQ Appliance with that particular which is not very customer-focused.  IMHO.

    One can only hope that 1 day IBM will listen and create an App Store for the MQ Appliance.  I know it will make some customers very happy (and vendors too).

    later
    Roger

    ------------------------------
    Roger Lacroix
    CTO
    Capitalware Inc.
    London ON
    226-980-7307
    ------------------------------



  • 5.  RE: Stop Apps from using older version of MQ Client

    Posted Fri October 15, 2021 03:09 PM
    "Or is there a subscription topic string we can collect and scan thru? Using $SYS/... option?"

    For distributed, yes. Distributed MQI Accounting now reports the remote product and version of the client channel. I believe that started around 9.1.

    The distributed queue accounting does not have this channel data, but if you turn both MQI and queue accounting on, the messages are delivered in a way where you can use the connection id (which appears on both) to tie the channel, remote product, remote version of the MQI accounting back to the queue accounting data. So for our distributed MQ queue accounting data, we are able to provide the channel details for the queue accounting using this trick.


    ------------------------------
    Tim Zielke
    ------------------------------



  • 6.  RE: Stop Apps from using older version of MQ Client

    IBM Select
    Posted 10 days ago
    We have done it as ..

    DIS CHLSTATUS(*)

    If the value is 000000 we know it is MQ 7 or lower. We get to IP, App Name etc.. Then we are following up.

    Yet not able to find out, how we can stop the application from connecting without an exit-program.

    ------------------------------
    om prakash
    WI
    ------------------------------



  • 7.  RE: Stop Apps from using older version of MQ Client

    Posted 10 days ago
    You won't find a way with out an exit. I agree with Norbert that this is something that is worthwhile and should be submitted as an RFE (or whatever the new process is now) for CHLAUTH to be able to block access based on the client version. An argument could be made that this is a security RFE, as lower versions of MQ are flagged a security vulnerabilities in security scans.

    ------------------------------
    Tim Zielke
    ------------------------------



  • 8.  RE: Stop Apps from using older version of MQ Client

    Posted 6 days ago
    And to complete the list:
    We had massive performance issues at our z/OS qmgr's when some Spring Boot applications using way too old versions...
    Of course here we consider an exit as Roger already mentioned.

    ------------------------------
    Norbert Pfister
    system engineer
    Nuremberg
    Germany
    ------------------------------