[Windows]

Using the SSPI security exit on Windows

This topic describes how to use the SSPI channel-exit programs on Windows systems. The supplied exit code is in two formats: object and source.

Object code

The object code file is called amqrspin.dll. For both client and server, it is installed as a standard part of IBM® MQ for Windows in the MQ_INSTALLATION_PATH/exits/INSTALLATION_NAME folder. For example, C:\Program Files\IBM\MQ\exits\installation2. It is loaded as a standard user exit. You can run the supplied security channel exit and use authentication services in your definition of the channel.

To do this, specify either of the following: 

SCYEXIT('amqrspin(SCY_KERBEROS)')

SCYEXIT('amqrspin(SCY_NTLM)')
To provide support for a restricted channel, specify the following on the SVRCONN channel: 

SCYDATA('remote_principal_name')
where remote_principal_name is in the form DOMAIN\user. The secure channel is established only if the name of the remote principal matches remote_principal_name.

To use the supplied channel-exit programs between systems that operate within a Kerberos security domain, create a servicePrincipalName for the queue manager.

Source code

The exit source code file is called amqsspin.c. It is in C:\Program Files\IBM\MQ\Tools\c\Samples.

If you modify the source code, you must recompile the modified source.

You compile and link it in the same way as any other channel exit for the relevant platform, except that SSPI headers need to be accessed at compile time, and the SSPI security libraries, together with any recommended associated libraries, need to be accessed at link time.

Before you execute the following command, make sure that cl.exe, and the Visual C++ library, and the include folder are available in your path. For example: 

cl /VERBOSE /LD /MT /Ipath_to_Microsoft_platform_SDK\include
/Ipath_to_IBM_MQ\tools\c\include amqsspin.c /DSECURITY_WIN32
-link /DLL /EXPORT:SCY_KERBEROS /EXPORT:SCY_NTLM STACK:8192
Note: The source code does not include any provision for tracing or error handling. If you modify and use the source code, add your own tracing and error-handling routines.