Using the SSPI security exit on Windows systems
This topic describes how to use the SSPI channel-exit programs on Windows systems. The supplied exit code is in two formats: object and source.
Object code
The object code
file is called amqrspin.dll. For both client and server, it is installed
as a standard part of WebSphere® MQ for
Windows in the MQ_INSTALLATION_PATH
/exits/INSTALLATION_NAME folder.
For example, C:\Program Files\IBM\WebSphere MQ\exits\installation2.
It is loaded as a standard user exit. You can run the supplied security
channel exit and use authentication services in your definition of
the channel.
SCYEXIT('amqrspin(SCY_KERBEROS)')
SCYEXIT('amqrspin(SCY_NTLM)')
SCYDATA('remote_principal_name')
where remote_principal_name is in the form DOMAIN\user. The secure channel is
established only if the name of the remote principal matches remote_principal_name.To use the supplied channel-exit programs between systems that operate within a Kerberos security domain, create a servicePrincipalName for the queue manager.
Source code
The exit source
code file is called amqsspin.c. It is in C:\Program Files\IBM\WebSphere
MQ\Tools\c\Samples
.
If you modify the source code, you must recompile the modified source.
You compile and link it in the same way as any other channel exit for the relevant platform, except that SSPI headers need to be accessed at compile time, and the SSPI security libraries, together with any recommended associated libraries, need to be accessed at link time.
include
folder are available
in your path. For example:
cl /VERBOSE /LD /MT /I<path_to_Microsoft_platform_SDK\include>
/I<path_to_WebSphere MQ\tools\c\include> amqsspin.c /DSECURITY_WIN32
-link /DLL /EXPORT:SCY_KERBEROS /EXPORT:SCY_NTLM STACK:8192