BlockIP2 change history
| initial version - 12Dec02 DK v1.00 | |
| Myself - 06Jan04 DK v1.10 | |
| Improved due to inspiration from T.Rob, Sriniddhi and Peter Potkay Now we allow more patterns specified, seperated by semicolon (;), the number of patterns is limited ny size of SCYDATA field. Protection against JMS intruders, or users using mqm or MUSR_MQADMIN.
|
|
| Michael Dag - 20Jan04 NL v1.11 | |
| Changed / / comments to / * with ending ... as it wasn't suited for C compiler on AIX Changed IFDEF to find out WIN32 or UNIX as UNIX can have 1 CPU aswell Commented the #pragma statement as this wasn't suited for C compiler on AIX Removed * from string and wild in the wildcmp routine and added [0] as it didn't work on Solaris. |
|
| Myself - 22Jan04 DK v1.12 | |
| Problem with simple pattern (172.22.22.*) this failed due to a design mistake, this is now solved. Now should the Exit work as designed. Log improved using real date format, instead of internal formats... Conditional compilation added, so the same source can be compiled on differnt platforms. Some other improvements due to nature of UNIX/LINUX so the log list is fine.
|
|
| Myself - 06Feb04 DK v1.14 | |
| Problem with missing timestamp in the log solved. Version 1.14. Problem with patternmatching without trailing asterix, this problem was introduced in 1.11.
|
|
| Myself - 10Feb04 DK v1.15 | |
| Added funtionallity to verify the connecting userid, based on remote userid, this matching is also based on wild_cmp(), so wildcards is allowed. This pattern matching is case sensetive, so was51 is different from Was51. Check also added for right exit invocation. Any other exit will just be terminated. inspiration:
|
|
| Myself - 15Feb04 DK v1.16 | |
| Added functionallity to allow specification rules to be passed in a file, this file is specified in SCYDATA() like (C:\path\rulefile.txt) or (/var/mqm/exits/rulefile.txt) depending on your platform. This allows you to thae a rulefile per channel, and this offers flexibility to implement various security schemas. Two extra parameters have been added to SCYDATA: -d & -q. -d is used for debuging purposes, while -q is q Quitemode, where the output is very reduced (only one line per attempt to connect).
|
|
| Myself - 16Feb04 DK v1.17 | |
| A serious user-validation error was introduced in 1.16 which only allowed usage of FN= mode. The error is corrected (i hope), and my tests shows it works. Enhanced error reporting, and control of filters. And still be restrictive so a failure don't open the connection.
|
|
| Myself - 20Feb04 DK v1.18 | |
| The exit is now able to allow blank lines and empty lines in the security specification file..
|
|
| Myself - 28Feb04 DK v1.20 | |
| Implemented validation for SSL objects, so we can have a pattern matching CN=ibmwebspheremqQM*, and have the option to block some CN's.
Following options are implemented:
|
|
| Myself - 05mar04 DK v1.21 | |
| The logic of the exit have been changed so it's no longer possible to penetrate this exit using a exit on the client end, to send a sec_msg, to get a connection accepted status. This design mistake would leave the channel open to almost anybody, that was capable of creating a client security exit. |
|
| Myself - 21mar04 DK v1.22 | |
| Added functions to specify connectionname/userid match, so we can combine the features of security. This matching feature only works on FN= mode, where the connectionname/userid is specified using the CON= keyword: CON=<conname>;<userids>[;MCA={*|userid}]; CON=10.11.12.*;u*;MCA=sysoper; CON=192.162.1.14;zz*; The list is searched for first match of connectionname+userid, which means it's very important to specify the options in the right order. If you specify: CON=*;*;MCA=root; CON=162.12.*;peter; This will have the result that all incomming connection attemts will have the MCAUSER forced to "mqm", even "peter", because all connetions+userids will match*;*;. You see the point ? |
|
| Myself - 07jun04 DK v1.23 | |
| Problem about handling non-generic CON= statements, due to bad parsing. Problem was that only the first 32 chars. was checked for a match.. |
|
| Sid Young - 22mar04 AU v2.00 | |
| Complete re-write and restructure of code. Changed logic to deny all and only accept if all conditions required are met Added enhanced logging capability |
|
| Sid Young - 29mar04 AU v2.01 | |
| Added code to support chanel and user name stamping in log file name. Found type in ProcessLine(). Tested OK. |
|
| Myself - 30mar04 DK v2.10 | |
| Retrofitted some code to create a windows version of the program that could be loaded. And to allow compability with old versions that works without a rule-file. Restrictions added so connections will be refused if failure in rule/parameter specifications, because my auto test passed many connection attempts that should be blocked due to rules. Testing, Testing and even more testing....... |
|
| Myself - 22may04 DK v2.11 | |
| Some editorial changes to allow compilation under AIX without problems. UNIX logging changed, so misspecified log information still will result in logging, where the spec. is bypassed. LogDirecty removed and is replaced with LogPath, for complience between environments. Testing, Testing and even more testing....... |
|
| Myself - 29may04 DK v2.12 | |
|
Reporting of refused connections added to log, so we can see who is trying to get in, this was disapeared on Petterns= and CON= mismatch this is fixed so we can continue. |
|
| Myself - 7jun04 DK v2.13 | |
|
Better error reporting on bad file name (FN=) specification. |
|
| Neil Casey - 3aug04 AUS v2.13nwc | |
| No change to functionality at all, but added Windows compiler information so that external link directives are not required, and added MVS directives to allow generation of an MVS targetted exit. Files specifications on MVS can be //DD:JCLNAME or UFS hierarchical names (ie unix names) Also fixed issues with ConnectionNames. The code was using the EXIT_NAME_LENGTH to get a value for the length of the ConName. This doesn't work on MVS where the exit name length is 8. Change all references to use the MQ defined constant MQ_CONN_NAME_LENGTH. |
|
| Myself - 5aug04 DK v2.14 | |
| Validation of SCYDATA field is enhanced, so errors on specifying FN=file is enhanced. If KW FN= not specified, it's mandatory that SCYDATA contains either a asterix(*), question mark(?) or a pattern starting with 0-9. Due to the fact that the latest problems reported is in this area of bad specification. Hard-brackets ([]) is changed in z/OS implementation to (<>), so it becomes readable in non-english environments. Contolled with -z option in SCYDATA() |
|
| Neil Casey - 10aug04 DK v2.13nwc2 | |
| Extended maximum pattern lengths to 256 characters. Changed logic for building the pattern strings so the multiple Pattern= or User= etc lines add to the previously built string, instead of overwriting it. This is a function change which makes this version behave differently when faced with multiple lines of data which previously just used the last data found. |
|
| Myself - 29may04 DK v2.15 | |
| just a small one... together with a small code change for solaris so that the timestamp is printed too. This is done using wcsftime... |
|
| Neil Casey - 24Aug04 v2.16 | |
| Remove the wcsftime call. The parameter passed to it (char*) by the code did not match the expected parameter (wchar*) The timestamping works fine on Solaris without this mod. Remove some commented out code which was for debugging. Reformat source indenting. |
|
| Myself - 08Feb05 DK v2.17 | |
| A small change about setting MCAUSER based on CON= control, z/OS will have a field filled with trailing spaces. Added RespectMCA keyword. |
|
| Myself - 21Apr05 DK v2.18 | |
| Handling of SEC_PARMS added as part of WMQ 6.0 support. | |
| Myself - 24Apr05 DK v2.20 | |
| Added support for max connections on a given channel. new keyword: MAXCHL=ChannelName;MaxConnections; was added. This is currently not supported on WebSphere MQ for Z/OS. |
|
| Myself - 03May05 DK v2.21 | |
| PWD= parm added to CON=, for simple password validation, there are encryption on the PW-exchange. It must be supplied on a MQXR_SEC_MSG call. If PWD is applied and user match, we'll request pw.... CON=<conname>;<userids>[;{PWD=<password>][;MCA={*|userid}|BLOCK}]; Problem with userid check in CON= Fixed. Wildcard compare extented with character range, numeric, alpha patterns, to enhance filtering capabilities. AllowBlankUserID added, Default is changed so we don't allow blank userids anymore. Internal version ONLY. |
|
| Myself - 05May05 DK v2.22 | |
| MAXCHL= now supported on z/OS.
WebSphere MQ Client exit added with basic support, executables only. |
|
| Myself - 1Jul05 DK v2.30 | |
| PWD= removed from CON= together with the client exit.
Problem with reentant code changed, so it should be reentrant. |
|
| Myself - 11Sep05 DK v2.31 | |
| strtok changed to strtok_r for non windows implementations to deal with reentant code problems. This should help make it more stable. |
|
| Myself - 23Sep05 DK v2.32 | |
| MAXCHL for unix changed to use shrmem for performance reasons. | |
| Myself - 25Oct05 DK v2.35 | |
| OS/400 support added (bypass strtok_r) and handling a new print model. New OS/400 entrypoint (int main() added with conditional compile. |
|
| Myself - 14Nov05 DK v2.36 | |
| Handling of semaphores in LockSpecSem() fixed. | |
| Myself - 14Nov05 DK v2.37 | |
| Connection refused message enhanced to conname and channelname | |
| Myself - 12Dec05 DK v2.38 | |
| Connection refused, Pattern string is too long, max. This message wasn't showing the resulting message length, just the current one. So when concat patterns we had a issue. This was also fixed for Userids | |
| Myself - 25Jan06 DK v2.39 | |
| Porting for Linux AMD64. various definitions changed. | |
| Myself - 5Feb06 DK v2.40 | |
| Problem with UNIX shared memory mgmt. solved. | |
| Myself - 13Feb06 DK v2.41 | |
| Problem when a config file contains garbage and MQXR_TERM is invoked and it returns a failure .... This was seen WIN2K3. | |
| Myself - 14Feb06 DK v2.42 | |
| Logging to EventLog added on windows. Currently all events are logged. Switch will be added to SCYDATA to control this feature. | |
| Myself - 18Feb06 DK v2.43 | |
| Needed cleanup procedure for getActualCurrentNumberOfRunningChannels to cleanup allocated "databags" mqDeleteBag must be included in the windows edition to prevent storage leak. | |
| Myself - 1Mar06 DK v2.44 | |
| Added support for shared memory on windows. This is implemented using a seperate program BlockIP2S, that initializes the Shared Memory Segment(SMS). There are a detatched BlockIP2S per queue manager running with BlockIP2. (when the channel limitter is activated). Storage Leak from pre. version 2.44 is also solved. This appled only to the delivered windows DLL, due to a compilation problem. Serilasation was added in windows to handle logfile contention. This is also included in the control of SMS and BlockIP2S. | |
| Myself - 1Mar06 DK v2.45 | |
| Shared memory naming changed to support HACMP and other MA special settings. * The shm name under *NIX is now based on /var/mqm/mqs.init | |
| Myself - 1Mar06 DK v2.45 | |
| Shared memory naming changed to support HACMP and other MA special settings. * The shm name under *NIX is now based on /var/mqm/mqs.init | |
| Myself - Apr06 DK v2.46-2.48 | |
| Added logic to handle cycling of logfiles, to prevent fill up of filesystems. Controlled by: LogCount=nn; # of versions (between 3 and 99). LogSize=nnnnnnn; Size og the logfile before switching. min 100KB. Default LogDrive og LogPath log path is changed on windows to conformw with the UNIX implementation, so we use the windows settings. And FileName is extented with "001" * to allow circular logging. |
|
| Myself - Apr06 DK v2.50 | |
| Pattern matching extented to allow imbedded ** this means that the generic specs may look like this: Patterns=123.*.123; SSL=CN=ibmwebspheremq*T01,MCA=user; ASC=Y/AllowSelfSignedCertificates=Y added. SSL=[C=,][L=,][O=,][OU=,]CN=;[[MCA={userid|role|*};]|[BLOCK;]] some examples: TERM=N/Y for controlling print of termination message. MAX_SSL raised to 256 and MAX_PL to 1024*4. |
|
| Myself - Apr06 DK v2.51 | |
| wildcmplist() problem fixed. | |
| Myself - Apr06 DK v2.52 | |
| messlen and buflen changed from long to MQLONG in deductStatusQ, getActualCurrentNumberOfRunningChannelszOS | |
| Myself - May06 DK v2.53 | |
| Support for BLANK_USERID added, changes was made in CheckUserId() and CheckCONList() to obtain the wanted functionality. Implemetation of hostname support done in CheckConnectionPattern() Deleted many compile warnings to get a clean compilation list without warnings. |
|
| Myself - May06 DK v2.55 | |
| Storage leak on z/os solved together with DNS lookup on z/os. | |
| Myself - Aug06 DK v2.56 | |
| Problem with errors in spec. files solved. "AMQ9190 The user exit ... invoked for .." with id '11' and reason '12', returned values that are not valid, as reported in the preceding messages. The channel stops. Detection for IY86343. added. |
|
| Myself - May06 DK v2.57 | |
| Problem with accepted CON= where there are no CON= that should give the auth. | |
| Hubert Kleinmanns - Oct06 DK v2.56a | |
| Fixed a problem in function 'CheckSSLList'. BlockIP2 exited in this function with a zero length 'SSLRemCertIssNamePtr' in structure 'pChannelExitParams'. This problem occured on Solaris Sparc systems with MQv6. | |
| Myself - Dec06 DK v2.60 | |
| Impl. of additional specification file for configuration. BlockIP2 look default for /var/mqm/exits/BlockIP2.ini or ExitPath\BlockIP2.ini on the distributed platforms if FN= is not specified. This is implemented to ease dirstribution in complex installations so a generix specification can be used. The NEW syntax on the BlockIP2.ini is documented in the manual. |
|
| Myself - Mar07 DK v2.62 | |
| *NIX problem in ProcessMQSiniFile_qm_ini solved when looking for BlockIP2.ini Problem with file cycle solved for dist. platforms. |
|
| Myself - Apr06 DK v2.64 | |
| Complex SSL filtering problems solved. Added ST= and PC= in the SSL filtering to be complient with gsk7cmd and runmqckm and their capabilities. Problem with FNx= fixed. Reason was premature release or storage. |
|
| Myself - May07 DK v2.66 | |
| Problem with connection limitter solved when controlled by BlockIP2.ini.
New feature to extract MCAUSER from SSL-DN added. *NIX storage leak caused by localtime and gethostbyname fixed by using _r implementation of the functions. |
|
| Myself - Jun07 DK v. 2.67 | |
| Problem with FN= and file not found abend solved. Problem with QMGR= and CHANNEL= logic solved. CHANNEL= stmt didn't lock for previous accepted channel. ENV changed to show platform information. Like MVS, AIX, Linux, WIN etc. Added #pragma to disable _POSIX warning 4996 for fileno. |
|
| Myself - Jun07 DK v. 2.68 | |
| Support for AS/400 implemented... And it's working.... Extented to use shared storage and DNS Support. |
|
| Myself - Jul07 DK v. 2.69 | |
| Sporadic errors solved for Solaris and others Limit on CON_MAX enforced BLOCKIP-68E added. |
|
| Myself - Mar08 DK v. 2.70 | |
| Security problem with windows 2003 solved, changed in in BlockIP2 and BlockIP2S. Extented error reporting in starting windows SHM and registry load. SYSLOGFCLTY= and SYSLOGPRTY= added for UNIX to control syslog(). syslog_r() added for AIX for better thread safe. Show the name of the BlockIP2.ini in -d option, to ease configuration trouble. Report open reason for failed file operations..... (fopen() errno) |
|
| Myself - Oct08 DK v. 2.71 | |
| Changed some sprintf() to snprintf() to avoid stack crashes. Added thread id to identify the correspondent requests and answers. |
|
| Myself - Oct08 DK v. 2.72 | |
| Added CloseHandle(mutex) to prevent loss of handles, and to keep the stuff running for long periods of time. | |
| Myself - Oct08 DK v. 2.73 | |
| Changed size of connection table size to 64KB from 2, giving room for 1500 channels. | |
| Myself - Jan09 DK v. 2.74 | |
| Changed LOGDEBUG1 to LOGDATA for nospace in chltable for UNIX impl. Channel struct changed to BlockIP2.2a to assure complience with old version, and contains now SHMMAX_CHL. |
|
| Myself - Mar09 DK v. 2.75 | |
| Suppress TERM note when quiet mode selected. AllowBlankUserID=N added to comply with the book.... |
|
| Myself - Mar09 DK v. 2.76 | |
| Added support for longer WTO messages on z/os. Problem with BLOCKIP2-I50 and CONNAME print solved. z/OS will now allow change of channel limitter threshold after first time usage. Added support for WTOPFX under z/OS for WTO's to comply with CA tools... |
|
| Myself - Jun09 DK v. 2.77 | |
| Support for allowing MCAUSER specified on the channel to be overridden by the incomming userid, this is done with the MCA=* on the CON= statement. |
|
| Myself - Jul09 DK v. 2.78 | |
| BlockMqmUsers=N added to comply with the book.... Problem with CON= and hostnames solved. It username and MCA was removed due to logic error. Need for mqm linkage removed for most platforms. |
|
| Matt Batterham - 06Oct09 AUS v. 2.79 | |
| Leading to fix dealing with NONE; in SCYDATA(), to help problem solving when Patterns= is missing in BlockIP2.ini. | |
| Myself - 07DEC09 DK v. 2.80 | |
| Problem with MQ 7.0.1.0 where conname can contain the source port: 10.1.1.1(1490) LogFormat=M (QueueManager) added to include the queue manager in the logfile name. QMGR_SHORT_NAME=; up to 8 characters shortname of qmgr to include in the logfile, usefull when long queue manager are used... By default it takes the first 8 characters from queue manager name. INCQMGR=Y; added to include a short qmgr id in the logfile. Highly usefull for large systems. Not so usefull when used with LogFormat=M. Introduced USESECPARMS=Y; that allows the user to set the MCAUSER based on the content in SecurityParms. This allows users to use BlockIP2 with MQExplorer to do authentication using an OAM exit. **NOTE** If not used together with an Object Authority Manager (OAM) this leads to security exposure because t.x. MQExplorer (and other applications) allow the user to type in an userid aka mqm. Default is USESECPARMS=N; so it's your own choise to enable the feature. However it requires the invoking client application to utilize MQCSP_AUTH_USER_ID_AND_PWD. From the manual: This value indicates that MQCSP user ID and password fields will be used by the Object Authority Manager (OAM) to perform authentication on a MQCONNX call. When this is specified, the MQCSP structure is passed to the OAM Authenticate User function, which can set appropriate identity context fields. |
|
| Myself - 14DEC09 DK v. 2.81 | |
| Problem with MQ 7.0.1.0 where conname can contain the source port: 10.1.1.1(1490) Added compile flag TEST281 to test it. |
|
| Myself - 03FEB10 DK v. 2.82 | |
| Problem with channel limitter on heavely used multithreaded UNIX where shared memory was exhaused. Changes made to wildcmplist() to solve problem with "BLANK_USERID" in a multiline specification: "CON=*;BLANK_USERID,QMQM,QMQMADM,QSECOFR;MCA=NoBody;" A dedicated test is included to deal with this test. LogCycle= added to ease configuration. Added debug level on ver=x.xx line for ease support. |
|
| Myself - 04MAR10 DK v. 2.83 | |
| Added support for multi reply from DNSservers Added support for standby qmgrs. (DataPath on UNIX) |
|
| Paul Giordano - 06May10 v. 2.84 | |
| Add logic to z/OS to load process parameters into memory for efficiency. Keyed with nZOSLoadMem and parm -m. Added Silent flag to 50I and 99I WTOs. Removed unused __4kmalc() and #if BLOCKIM logic. RetroFitted by MrMQ. |
|
| Myself - 16AUG10 DK v. 2.85 | |
| Problem with SIGSEGV when processing mqs.ini solved. Was caused by storage overlay. Problem with missing logfiles solved (was also causing SIGSEGV) thanks to Anshul Rastogi and others. |
|
| Myself - 18AUG10 DK v. 2.86 | |
| More changes regarding SIGSEGV done. | |
| Myself - 22JAN11 DK v. 2.90 | |
| More More changes to support standby queue managers. Monitoring failover. UNIX Shared memory anchor point moved from mq path to /tmp/._BlockIP2_ to prevent further problems with MQ product changes. This can be disabled with option -t, or TMPPATH=No; in configfile. TMPPATH=Yes; Is default. |
|
| Falk Dressler - 14MAR11 v. 2.91 | |
| Avoid to refer to invalid memory when checking for '\n' in config file lines. | |
| Myself - 12APR11 DK v. 2.92 | |
| Problem with CLUSSDR channels and "empty" patterns solved. | |
| Myself - 13SEP11 DK v. 2.93 | |
| Enhancement of debugging for option USESECPARMS=Y. | |
| Myself - 20SEP11 DK v. 2.94 | |
| Enhancement of debugging for blank userids and exit response. Additional logic added to control the behaviour of SEC_PARMS, to allow DotNet applications to connect to MQ without formal authentication and to respect the MCAUSER settings. |
|
| Myself - 26MAY12 DK v. 2.95 | |
| Changed determination of ENV to have right ident. of env. Added ZLINUX conditional definition. | |
| Myself - 15JUN12 DK v. 2.96 | |
| Removed need for including CSQXSTUB in linkage steb to prevent IEW2456E complaining about missing MQOPEN/MQCLOSE/MQGET and MQPUT1 modules to remove the need for using a PDSE as CSQXLOAD. Perhaps all this old stuff should be removed to clean up the source. | |
| STB - xxxxx12 DK v. 2.97 | |
| Replaced LoadRegistry() to automatically support multi install under windows. Retrofitted by MrMQ. | |
| Myself - 03JAN13 DK v. 2.98 | |
| Added FAP= check parameter to block connections from older MQ devices, like MQ 5.x clients. | |
| Myself - 01APR13 DK v. 2.99 | |
| Forced initiation of nZOSLoadMem assure configuration is read on z/OS V2R1. No matter how Language Environment is configured. |
|
| Myself - 09MAR15 DK v. 3.00 | |
| Windows x64 migration. Adding filtering on MQCXP for PartnerName to allow additional queue manager filtering. |
|
| Myself - 17JUN15 DK v. 3.01 |
|
| Extended CON= table from 64 to 256 entries. | |