Security exits on cluster channels

Extra considerations when using security exits on cluster channels.

About this task

When a cluster-sender channel is first started, it uses attributes defined manually by a system administrator. When the channel is stopped and restarted, it picks up the attributes from the corresponding cluster-receiver channel definition. The original cluster-sender channel definition is overwritten with the new attributes, including the SecurityExit attribute.

Procedure

  1. You must define a security exit on both the cluster-sender end and the cluster-receiver end of a channel.

    The initial connection must be made with a security-exit handshake, even though the security exit name is sent over from the cluster-receiver definition.

  2. Validate the PartnerName in the MQCXP structure in the security exit.

    The exit must allow the channel to start only if the partner queue manager is authorized

  3. Design the security exit on the cluster-receiver definition to be receiver initiated.
  4. If you design it as sender initiated, an unauthorized queue manager without a security exit can join the cluster because no security checks are performed.

    Not until the channel is stopped and restarted can the SCYEXIT name be sent over from the cluster-receiver definition and full security checks made.

  5. To view the cluster-sender channel definition that is currently in use, use the command: 
    
DISPLAY CLUSQMGR( queue manager ) ALL
    The command displays the attributes that have been sent across from the cluster-receiver definition.
  6. To view the original definition, use the command: 
    
DISPLAY CHANNEL( channel name ) ALL
  7. You might need to define a channel auto-definition exit, CHADEXIT, on the cluster-sender queue manager, if the queue managers are on different platforms.

    Use the channel auto-definition exit to set the SecurityExit attribute to an appropriate format for the target platform.

  8. Deploy and configure the security-exit.
    [z/OS]z/OS®
    The security-exit load module must be in the data set specified in the CSQXLIB DD statement of the channel-initiator address-space procedure.
    [UNIX, Linux, Windows]Windows, UNIX and Linux® systems
    • The security-exit dynamic link library must be in the path specified in the SCYEXIT attribute of the channel definition.
    • The channel auto-definition exit dynamic link library must be in the path specified in the CHADEXIT attribute of the queue manager definition.