Queue-based security - connection reuse

When data is sent between a queue manager and a remote queue, the queue manager opens a connection to the remote queue manager that owns the queue. By default, if the remote queue is protected, for example with a cryptor, the connection is given exactly the same level of protection as the queue. To reduce the number of connections open concurrently, the queue manager can reuse an existing connection if its level of protection is adequate. If none of the connections has a suitable level of protection, the queue manager can also change the level of protection on an existing connection to match that required for the queue. The default behavior can be changed by using attribute rules on both the queue and the connection. These rules apply to the attribute on the queue (and connection), they are not the same as queue rules.

The C Bindings code API does not support attribute rules written in C. However, users can write their own rules in Java. An example Java rule, examples.rules.AttributeRule, is provided.

While the examples.rules.AttributeRule provides practical defaults, there may be a solution specific reason why different behavior is required. You can modify the way connections are reused by extending or replacing the default examples.rules.AttributeRule with rules that define the desired behavior.

If attribute rules are defined for the queue, the queue manager uses the rules to decide whether an existing connection has sufficient protection for the queue. If the equals() function in the rules returns true, the connection can be used. WebSphere MQ Everyplace provides an example rule, examples.rules.AttributeRule, that can be used on the queue. This rule allows a connection to be used for a queue if the following conditions are met:

The example rules define "better" for a cryptor to mean:

If none of the existing connections has sufficient protection for the queue, the queue manager checks if any of the connections can be upgraded to the required level. If attribute rules are defined for the connection, the permit() function is used to determine this. The examples.rules.AttributeRule uses the following criteria:

Before allowing connection reuse, the target queue uses its current AttributeRule equals() function to determine if the connection attribute can provide an appropriate level of protection for the target queue. This provides protection against inconsistency in the queue attribute rules on the local and target queue managers.

Attribute rules are set on a queue when it is created or modified using administration messages. Attribute rules are set on connections by defining an alias on ChannelAttrRules. For example, the following pseudo-code shows how to make a queue manager use examples.rules.AttributeRule.

mqe_alias(pErrorBlock, MQeString("ChannelAttrRules"), 
          MQeString("examples.rules.AttributeRule"));

It is possible to run without setting ChannelAttrRules, but this mode of operation is not recommended.



© IBM Corporation 2000, 2003. All Rights Reserved