Using the SSPI security exit on Windows
This topic describes how to use the SSPI channel-exit programs on Windows systems. The supplied exit code is in two formats: object and source.
Object code
The object code file is called amqrspin.dll. For both client and server, it
is installed as a standard part of IBM® MQ for Windows in the MQ_INSTALLATION_PATH
/exits/INSTALLATION_NAME folder. For example,
C:\Program Files\IBM\MQ\exits\installation2. It is loaded as a standard user exit. You can run the supplied
security channel exit and use authentication services in your definition of the channel.
SCYEXIT('amqrspin(SCY_KERBEROS)')
SCYEXIT('amqrspin(SCY_NTLM)')
SCYDATA('remote_principal_name')
where remote_principal_name is in the form
DOMAIN\user. The secure channel is established only if the
name of the remote principal matches remote_principal_name. To use the supplied channel-exit programs between systems that operate within a Kerberos security domain, create a servicePrincipalName for the queue manager.
Source code
The exit source code file is called amqsspin.c. It is in C:\Program Files\IBM\MQ\Tools\c\Samples.
If you modify the source code, you must recompile the modified source.
You compile and link it in the same way as any other channel exit for the relevant platform, except that SSPI headers need to be accessed at compile time, and the SSPI security libraries, together with any recommended associated libraries, need to be accessed at link time.
cl /VERBOSE /LD /MT /Ipath_to_Microsoft_platform_SDK\include
/Ipath_to_IBM_MQ\tools\c\include amqsspin.c /DSECURITY_WIN32
-link /DLL /EXPORT:SCY_KERBEROS /EXPORT:SCY_NTLM STACK:8192