BlockIP2 change history
initial version - 12Dec02 DK v1.00
Myself - 06Jan04 DK v1.10
Improved due to inspiration from T.Rob, Sriniddhi and Peter Potkay
Now we allow more patterns specified, seperated by semicolon (;), the number
of patterns is limited ny size of SCYDATA field.
Protection against JMS intruders, or users using mqm or MUSR_MQADMIN.

 

Michael Dag - 20Jan04 NL v1.11
Changed / / comments to / * with ending ... as it wasn't suited for C
compiler on AIX 
Changed IFDEF to find out WIN32 or UNIX as UNIX can have 1 CPU aswell
Commented the #pragma statement as this wasn't suited for C compiler
on AIX
Removed * from string and wild in the wildcmp routine and added [0] as
it didn't work on Solaris.

Myself - 22Jan04 DK v1.12
Problem with simple pattern (172.22.22.*) this failed due to a design
mistake, this is now solved. Now should the Exit work as designed.
Log improved using real date format, instead of internal formats...
Conditional compilation added, so the same source can be compiled on
differnt platforms. Some other improvements due to nature of UNIX/LINUX
so the log list is fine.

 

Myself - 06Feb04 DK v1.14
Problem with missing timestamp in the log solved. Version 1.14.
Problem with patternmatching without trailing asterix, this problem
was introduced in 1.11.

 

Myself - 10Feb04 DK v1.15
Added funtionallity to verify the connecting userid, based on remote
userid, this matching is also based on wild_cmp(), so wildcards is
allowed. This pattern matching is case sensetive, so was51 is different
from Was51. Check also added for right exit invocation. Any other exit
will just be terminated.

inspiration:
SCYDATA('10.1.10.*;-n;userids=zz*,yy*')
SCYDATA('10.1.10.*;10.2.11.*;userids=michael,zz*,yy*')

 

Myself - 15Feb04 DK v1.16
Added functionallity to allow specification rules to be passed in a file,
this file is specified in SCYDATA() like (C:\path\rulefile.txt) or
(/var/mqm/exits/rulefile.txt) depending on your platform.
This allows you to thae a rulefile per channel, and this offers flexibility
to implement various security schemas.
Two extra parameters have been added to SCYDATA: -d & -q. -d is used for
debuging purposes, while -q is q Quitemode, where the output is very
reduced (only one line per attempt to connect).

 

Myself - 16Feb04 DK v1.17
A serious user-validation error was introduced in 1.16 which only allowed usage
of FN= mode. The error is corrected (i hope), and my tests shows it works.
Enhanced error reporting, and control of filters. And still be restrictive
so a failure don't open the connection.

 

Myself - 20Feb04 DK v1.18
The exit is now able to allow blank lines and empty lines in the security specification file..

 

Myself - 28Feb04 DK v1.20
Implemented validation for SSL objects, so we can have a pattern matching  CN=ibmwebspheremqQM*, and have the option to block some CN's.

Following options are implemented:
SSL=CN=ibmwebspheremqQSJHPT01,MCA=user; change MCAUSER for this CN
SSL=CN=ibmwebspheremq*,MCA=*;    allow all connections from ibmwebsphere*
SSL=CN=*;BLOCK;               Refuse all connections
SSL=CN=*;MCA=NoBody;      set MCAUSER for CNs not matching

 

Myself - 05mar04 DK v1.21
The logic of the exit have been changed so it's no longer possible to penetrate this exit using a exit on the client end, to send a sec_msg, to get a connection accepted status.
This design mistake would leave the channel open to almost anybody, that was capable of creating a client security exit.
Myself - 21mar04 DK v1.22
Added functions to specify connectionname/userid match, so we can combine
the features of security. This matching feature only works on FN= mode, where
the connectionname/userid is specified using the CON= keyword:
CON=<conname>;<userids>[;MCA={*|userid}];
CON=10.11.12.*;u*;MCA=sysoper;
CON=192.162.1.14;zz*;
The list is searched for first match of connectionname+userid, which means it's very
important to specify the options in the right order.
If you specify:
CON=*;*;MCA=root;
CON=162.12.*;peter;
This will have the result that all incomming connection attemts will have the MCAUSER forced to "mqm", even "peter", because all connetions+userids will match*;*;. You see the point ?
Myself - 07jun04 DK v1.23
Problem about handling non-generic CON= statements, due to bad parsing.
Problem was that only the first 32 chars. was checked for a match..
Sid Young - 22mar04 AU v2.00
Complete re-write and restructure of code.
Changed logic to deny all and only accept if all conditions required are met
Added enhanced logging capability
Sid Young - 29mar04 AU v2.01
Added code to support chanel and user name stamping in log file name.
Found type in ProcessLine(). Tested OK.
Myself - 30mar04 DK v2.10
Retrofitted some code to create a windows version of the program that could
be loaded. And to allow compability with old versions that works without a
rule-file. Restrictions added so connections will be refused if failure in
rule/parameter specifications, because my auto test passed many connection
attempts that should be blocked due to rules.

Testing, Testing and even more testing.......

Myself - 22may04 DK v2.11
Some editorial changes to allow compilation under AIX without problems.
UNIX logging changed, so misspecified log information still will result in logging,
where the spec. is bypassed. LogDirecty removed and is replaced with LogPath, for
complience between environments.


Testing, Testing and even more testing.......

Myself - 29may04 DK v2.12

Repporting of refused connections added to log, so we can see who is trying to get in, this was disapeared on Petterns= and CON= mismatch this is fixed so we can continue.
UseridUpperLowerCase= Introduced. Default is case sensetive to be compatible with older versions. To ignore case use UseridUpperLowerCase=*. Any other is invalid.
BlockUsers=, added, so we now can use a negativelist, but still with precedence of
CON=, and SSL=, meaning that we can change an incomming user to a blocked user!

Testing, Testing and even more testing.......

Myself - 7jun04 DK v2.13

Better error reporting on bad file name (FN=) specification.

Neil Casey - 3aug04 AUS v2.13nwc
No change to functionality at all, but added Windows compiler information so
that external link directives are not required, and added MVS directives to
allow generation of an MVS targetted exit. Files specifications on MVS can be
//DD:JCLNAME or UFS hierarchical names (ie unix names)
Also fixed issues with ConnectionNames. The code was using the EXIT_NAME_LENGTH to
get a value for the length of the ConName. This doesn't work on MVS where the
exit name length is 8. Change all references to use the MQ defined constant
MQ_CONN_NAME_LENGTH.
Myself - 5aug04 DK v2.14
Validation of SCYDATA field is enhanced, so errors on specifying FN=file is
enhanced. If KW FN= not specified, it's mandatory that SCYDATA contains either
a asterix(*), question mark(?) or a pattern starting with 0-9. Due to the fact
that the latest problems reported is in this area of bad specification.
Hard-brackets ([]) is changed in z/OS implementation to (<>), so it becomes
readable in non-english environments. Contolled with -z option in SCYDATA()
Neil Casey - 10aug04 DK v2.13nwc2
Extended maximum pattern lengths to 256 characters. Changed logic for building
the pattern strings so the multiple Pattern= or User= etc lines add to the
previously built string, instead of overwriting it. This is a function change
which makes this version behave differently when faced with multiple lines of data
which previously just used the last data found.
Myself - 29may04 DK v2.15
just a small one... together with a small code change for solaris so that the
timestamp is printed too. This is done using wcsftime...
Neil Casey - 24Aug04 v2.16
Remove the wcsftime call. The parameter passed to it (char*) by the code did
not match the expected parameter (wchar*) The timestamping works fine on Solaris
without this mod. Remove some commented out code which was for debugging.
Reformat source indenting.
Myself - 08Feb05 DK v2.17
A small change about setting MCAUSER based on CON= control, z/OS
will have a field filled with trailing spaces. Added RespectMCA keyword.
Myself - 21Apr05 DK v2.18
Handling of SEC_PARMS added as part of WMQ 6.0 support.
Myself - 24Apr05 DK v2.20
Added support for max connections on a given channel.
new keyword: MAXCHL=ChannelName;MaxConnections; was added.
This is currently not supported on WebSphere MQ for Z/OS.
Myself - 03May05 DK v2.21
PWD= parm added to CON=, for simple password validation, there are encryption on the PW-exchange. It must be supplied on a MQXR_SEC_MSG call.
If PWD is applied and user match, we'll request pw....
CON=<conname>;<userids>[;{PWD=<password>][;MCA={*|userid}|BLOCK}];
Problem with userid check in CON= Fixed.
Wildcard compare extented with character range, numeric, alpha patterns, to enhance filtering capabilities.
AllowBlankUserID added, Default is changed so we don't allow blank userids anymore.
Internal version ONLY.
Myself - 05May05 DK v2.22
MAXCHL= now supported on z/OS.

WebSphere MQ Client exit added with basic support, executables only. 

Myself - 1Jul05 DK v2.30
PWD= removed from CON= together with the client exit.

Problem with reentant code changed, so it should be reentrant.
Syntax check of parameter specification is improved.

Myself - 11Sep05 DK v2.31
strtok changed to strtok_r for non windows implementations to deal with
reentant code problems. This should help make it more stable.
Myself - 23Sep05 DK v2.32
MAXCHL for unix changed to use shrmem for performance reasons.
Myself - 25Oct05 DK v2.35
OS/400 support added (bypass strtok_r) and handling a new print model.
New OS/400 entrypoint (int main() added with conditional compile.
Myself - 14Nov05 DK v2.36
Handling of semaphores in LockSpecSem() fixed.
Myself - 14Nov05 DK v2.37
Connection refused message enhanced to conname and channelname
Myself - 12Dec05 DK v2.38
Connection refused, Pattern string is too long, max. This message wasn't showing the resulting message length, just the current one. So when concat patterns we had a issue. This was also fixed for Userids
Myself - 25Jan06 DK v2.39
Porting for Linux AMD64. various definitions changed.
Myself - 5Feb06 DK v2.40
Problem with UNIX shared memory mgmt. solved.
Myself - 13Feb06 DK v2.41
Problem when a config file contains garbage and MQXR_TERM is invoked and it returns a failure .... This was seen WIN2K3.
Myself - 14Feb06 DK v2.42
Logging to EventLog added on windows. Currently all events are logged. Switch will be added to SCYDATA to control this feature.
Myself - 18Feb06 DK v2.43
Needed cleanup procedure for getActualCurrentNumberOfRunningChannels to cleanup allocated "databags" mqDeleteBag must be included in the windows edition to prevent storage leak.
Myself - 1Mar06 DK v2.44
Added support for shared memory on windows. This is implemented using a seperate program BlockIP2S, that initializes the Shared Memory Segment(SMS). There are a detatched BlockIP2S per queue manager running with BlockIP2. (when the channel limitter is activated). Storage Leak from pre. version 2.44 is also solved. This appled only to the delivered windows DLL, due to a compilation problem. Serilasation was added in windows to handle logfile contention. This is also included in the control of SMS and BlockIP2S.
Myself - 1Mar06 DK v2.45
Shared memory naming changed to support HACMP and other MA special settings. * The shm name under *NIX is now based on /var/mqm/mqs.init
Myself - 1Mar06 DK v2.45
Shared memory naming changed to support HACMP and other MA special settings. * The shm name under *NIX is now based on /var/mqm/mqs.init
Myself - Apr06 DK v2.46-2.48
Added logic to handle cycling of logfiles, to prevent fill up of filesystems. 
Controlled by:
LogCount=nn; # of versions (between 3 and 99). 
LogSize=nnnnnnn; Size og the logfile before switching. min 100KB. 
Default LogDrive og LogPath log path is changed on windows to conformw with the UNIX implementation, so we use the windows settings. And FileName is extented with "001" * to allow circular logging.
Myself - Apr06 DK v2.50
Pattern matching extented to allow imbedded ** this means that the generic specs may  look like this: Patterns=123.*.123; SSL=CN=ibmwebspheremq*T01,MCA=user;
ASC=Y/AllowSelfSignedCertificates=Y added.
SSL=[C=,][L=,][O=,][OU=,]CN=;[[MCA={userid|role|*};]|[BLOCK;]] some examples:
TERM=N/Y for controlling print of termination message.
MAX_SSL raised to 256 and MAX_PL to 1024*4.
Myself - Apr06 DK v2.51
wildcmplist() problem fixed.
Myself - Apr06 DK v2.52
messlen and buflen changed from long to MQLONG in deductStatusQ, getActualCurrentNumberOfRunningChannelszOS
Myself - May06 DK v2.53
Support for BLANK_USERID added, changes was made in CheckUserId() and CheckCONList() to obtain the wanted functionality. 
Implemetation of hostname support done in CheckConnectionPattern()
Deleted many compile warnings to get a clean compilation list without warnings.
Myself - May06 DK v2.55
Storage leak on z/os solved together with DNS lookup on z/os.
Myself - Aug06 DK v2.56
Problem with errors in spec. files solved. "AMQ9190 The user exit ... invoked for .."
with id '11' and reason '12', returned values that are not valid, as reported in the preceding messages.
The channel stops.
Detection for IY86343. added.
Myself - May06 DK v2.57
Problem with accepted CON= where there are no CON= that should give the auth.
Hubert Kleinmanns - Oct06 DK v2.56a
Fixed a problem in function 'CheckSSLList'. BlockIP2 exited in this function with a zero length 'SSLRemCertIssNamePtr' in structure 'pChannelExitParams'. This problem occured on Solaris Sparc systems with MQv6.
Myself - Dec06 DK v2.60
Impl. of additional specification file for configuration.
BlockIP2 look default for /var/mqm/exits/BlockIP2.ini or ExitPath\BlockIP2.ini on the distributed platforms if FN= is not specified. This is implemented to ease dirstribution in complex installations so a generix specification can be used. 

The NEW syntax on the BlockIP2.ini is documented in the manual.
If the file is not present or cannot be read due to access violation it's trated as not found and BlockiP2 will continues as before.

Myself - Mar07 DK v2.62
*NIX problem in ProcessMQSiniFile_qm_ini solved when looking for BlockIP2.ini
Problem with file cycle solved for dist. platforms.
Myself - Apr06 DK v2.64
Complex SSL filtering problems solved. Added ST= and PC= in the SSL filtering to be complient with gsk7cmd and runmqckm and their capabilities.
Problem with FNx= fixed. Reason was premature release or storage.
Myself - May07 DK v2.66
Problem with connection limitter solved when controlled by BlockIP2.ini. 

New feature to extract MCAUSER from SSL-DN added.

*NIX storage leak caused by localtime and gethostbyname fixed by using _r implementation of the functions.

Myself - Jun07 DK v. 2.67
Problem with FN= and file not found abend solved.
 Problem with QMGR= and CHANNEL= logic solved. CHANNEL= stmt didn't lock for previous  accepted channel.
ENV changed to show platform information. Like MVS, AIX, Linux, WIN etc.
Added #pragma to disable _POSIX warning 4996 for fileno.
Myself - Jun07 DK v. 2.68
Support for AS/400 implemented... And it's working....
Extented to use shared storage and DNS Support.
Myself - Jul07 DK v. 2.69
Sporadic errors solved for Solaris and others
Limit on CON_MAX enforced BLOCKIP-68E added.
Myself - Mar08 DK v. 2.70
Security problem with windows 2003 solved, changed in in BlockIP2 and BlockIP2S.
Extented error reporting in starting windows SHM and registry load.
SYSLOGFCLTY= and SYSLOGPRTY= added for UNIX to control syslog().
syslog_r() added for AIX for better thread safe.

Show the name of the BlockIP2.ini in -d option, to ease configuration trouble.

Report open reason for failed file operations..... (fopen() errno)
BlockIP2 failed to open the specified logfile [] and other.

Myself - Oct08 DK v. 2.71
Changed some sprintf() to snprintf() to avoid stack crashes.
Added thread id to identify the correspondent requests and answers.
Myself - Oct08 DK v. 2.72
Added CloseHandle(mutex) to prevent loss of handles, and to keep the stuff running for long periods of time.
Myself - Oct08 DK v. 2.73
Changed size of connection table size to 64KB from 2, giving room for 1500 channels.
Myself - Jan09 DK v. 2.74
Changed LOGDEBUG1 to LOGDATA for nospace in chltable for UNIX impl.
Channel struct changed to BlockIP2.2a to assure complience with old version, and contains now SHMMAX_CHL.
Myself - Mar09 DK v. 2.75
Suppress TERM note when quiet mode selected.
AllowBlankUserID=N added to comply with the book....
Myself - Mar09 DK v. 2.76
Added support for longer WTO messages on z/os. Problem with BLOCKIP2-I50 and CONNAME print solved. z/OS will now allow change of channel limitter threshold after first time usage.
Added support for WTOPFX under z/OS for WTO's to comply with CA tools...
Myself - Jun09 DK v. 2.77
Support for allowing MCAUSER specified on the channel to be overridden by the incomming
userid, this is done with the MCA=* on the CON= statement.
Myself - Jul09 DK v. 2.78
BlockMqmUsers=N added  to comply with the book....
Problem with CON= and hostnames solved. It username and MCA was removed due to logic error.
Need for mqm linkage removed for most platforms.

The following are trademarks of International Business Machines Corporation:
IBM, MERVA, MQSeries, WebSphere, WBIFN, Object REXX, AIX

Copyright 2002, 2007 MrMQ.dk formerly(M-Invent). All rights are reserved.
Last updated: 2009.07.11 .