Introduction to security exits
A security exit forms a secure connection between two security exit programs, where one program is for the sending message channel agent (MCA), and one is for the receiving MCA. The program that initiates the secure connection, that is, the first program to get control after the MCA session is established, is known as the context initiator. The partner program is known as the context acceptor.
The following table shows some of the channel types that are context initiators and their associated context acceptors.
Context initiators and their associated context acceptors Context Initiator Context Acceptor MQCHT_CLNTCONN MQCHT_SVRCONN MQCHT_RECEIVER MQCHT_SENDER MQCHT_CLUSRCVR MQCHT_CLUSSDR The security exit program has two entry points:
- SCY_NTLM
This uses NTLM authentication services, which provide one-way authentication. NTLM allows servers to verify the identities of their clients. It does not allow clients to verify a server's identity, or one server to verify the identity of another. NTLM authentication was designed for a network environment in which servers are assumed to be genuine.
- SCY_KERBEROS
This uses Kerberos mutual authentication services. The Kerberos protocol does not assume that servers in a network environment are genuine. Parties at both ends of a network connection can verify the identity of the other party. That is, servers can verify the identity of clients and other servers, and clients can verify the identity of a server.
Parent topic:
SSPI security exit
fg16730_