Author |
Message
|
PeterPotkay |
Posted: Sat Nov 01, 2014 5:33 pm Post subject: CHLAUTH to check IP address AND the client user |
|
|
Poobah
Joined: 15 May 2001 Posts: 7717
|
I wanted to create a CHLAUTH rule that only allows a connection if it comes from a specific IP address and by a specific user, but there is no way to get both of those conditions in one CHLAUTH command.
I have to do this:
Code: |
SET CHLAUTH('MYCHANNEL') TYPE(ADDRESSMAP) ADDRESS('111.222.33.44') USERSRC(MAP) MCAUSER('cooldude') ACTION(REPLACE)
SET CHLAUTH('MYCHANNEL') TYPE(USERMAP) CLNTUSER('peter') USERSRC(MAP) MCAUSER('cooldude') ACTION(REPLACE)
|
But then it allows the connection and maps to cool dude if the connection come from that client user OR from that IP.
Is there anyway to make it happen so it has to be that client user AND that source IP? _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
|
smdavies99 |
Posted: Sat Nov 01, 2014 10:47 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003 Posts: 6076 Location: Somewhere over the Rainbow this side of Never-never land.
|
I know that Morag will probably disagree with this but it might be worth exploring
1) Create a rule on the Listener to filter the IP address
2) Create the rule on the Channel to filter the User.
If what you need is not possible without using the listener then I guess that it will be time for (yet) another RFE. _________________ WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
Back to top |
|
|
fjb_saper |
Posted: Sat Nov 01, 2014 11:54 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20729 Location: LI,NY
|
To set the rule for the channel with ip and user
- first set a backstop blocking all IP's.
Careful if you make the backstop too generic (*) it may also affect other channels that will have to be authorized (receiver, cluster receiver)...
- create a specific rule (channel) to allow the user and specify the IP (wizard)
Code: |
SET CHLAUTH('PETER') TYPE(USERMAP) CLNTUSER('peter') USERSRC(MAP) MCAUSER('mcauser_ Peter') ADDRESS('127.0.0.1') DESCR('See for peter on local host') ACTION(ADD) |
Note with V8 you may have to create the same rule replacing the address IP with the host name, depending on your settings.
Have fun _________________ MQ & Broker admin |
|
Back to top |
|
|
PeterPotkay |
Posted: Sun Nov 02, 2014 5:42 am Post subject: |
|
|
Poobah
Joined: 15 May 2001 Posts: 7717
|
Thanks FJ!
I was trying to added a CLNTUSER to an ADDRESSMAP rule and it wouldn't take it. It was late last night and didn't think to try what you suggested: Add the IP Address into a USERMAP rule.
I think this should work even without the backstop rule.
First I defined MYCHANNEL and placed an invalid ID in the MCAUSER called BOGUS_ID_991
Then I run the CHLAUTH command like this:
Code: |
SET CHLAUTH('MYCHANNEL') TYPE(USERMAP) CLNTUSER('peter') USERSRC(MAP) MCAUSER('cooldude') ADDRESS('111.222.33.44') ACTION(REPLACE)
1 : SET CHLAUTH('MYCHANNEL') TYPE(USERMAP) CLNTUSER('peter') USERSRC(MAP) MCAUSER('cooldude') ADDRESS('111.222.33.44') ACTION(REPLACE)
AMQ8877: WebSphere MQ channel authentication record set. |
Let's test.
What happens when neither the IP or client is correct?
Code: |
DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('10.222.33.44') CLNTUSER('frankie')
3 : DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('10.222.33.44') CLNTUSER('frankie')
AMQ9783: Channel will run using MCAUSER('BOGUS_ID_991'). |
Blocked - correct.
What happens when the IP address is correct but the client ID is wrong?
Code: |
DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('frankie')
2 : DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('frankie')
AMQ9783: Channel will run using MCAUSER('BOGUS_ID_991'). |
Blocked - correct.
What happens when the client ID is correct but the IP address is wrong?
Code: |
DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('10.222.33.44') CLNTUSER('peter')
5 : DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('10.222.33.44') CLNTUSER('peter')
AMQ9783: Channel will run using MCAUSER('BOGUS_ID_991'). |
Blocked - correct.
What happens when its the correct ID coming from the correct IP?
Code: |
DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('peter')
6 : DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('peter')
AMQ8878: Display channel authentication record details.
CHLAUTH(MYCHANNEL) TYPE(USERMAP)
ADDRESS(111.222.33.44) CLNTUSER(peter)
MCAUSER(cooldude)
|
Success!
I don't have the back stop rule on this QM because every incoming channel either has a invalid ID inn the MCAUSER (like this test channel), and /or the Capitalware MQAUSX Security Exit is running in Authentication mode on the channel.
I think this will do it - the channel will only run if it comes from the correct IP address AND the correct client user.
Many thanks FJ! This particular client can't / won't use SSL or MQAUSX, so CHLAUTHing them against both IP and ID was desirable. _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
|
fjb_saper |
Posted: Sun Nov 02, 2014 9:13 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20729 Location: LI,NY
|
Glad it works for you.
Putting an invalid mcauser on the channel is like backstopping...
I used the IP backstop because I allowed the user on the channel without specifying an mcauser. Has to be populated because of non privileged rule.
But the risk if you don't ip backstop is anybody with authorization on the qmgr and a non privileged ID can use the channel if coming from any IP.
This is moot as you are using an unauthorized mcauser id as default and map all authorized users...
Have fun _________________ MQ & Broker admin |
|
Back to top |
|
|
Michael Dag |
Posted: Sat Nov 15, 2014 11:14 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002 Posts: 2602 Location: The Netherlands (Amsterdam)
|
PeterPotkay wrote: |
Many thanks FJ! This particular client can't / won't use SSL or MQAUSX, so CHLAUTHing them against both IP and ID was desirable. |
Good reason to get to V8 native authentication will solve that and and will keep your channels safe from unauthenticated users. _________________ Michael
MQSystems Facebook page |
|
Back to top |
|
|
hughson |
Posted: Wed Nov 19, 2014 2:24 am Post subject: |
|
|
Padawan
Joined: 09 May 2013 Posts: 1948 Location: Bay of Plenty, New Zealand
|
PeterPotkay wrote: |
What happens when its the correct ID coming from the correct IP?
Code: |
DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('peter')
6 : DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('peter')
AMQ8878: Display channel authentication record details.
CHLAUTH(MYCHANNEL) TYPE(USERMAP)
ADDRESS(111.222.33.44) CLNTUSER(peter)
MCAUSER(cooldude)
|
Success!
I think this will do it - the channel will only run if it comes from the correct IP address AND the correct client user. |
Yup - this is what we call an address restrictor. You can add ADDRESS to any of TYPE(USERMAP), TYPE(QMGRMAP) and TYPE(SSLPEERMAP). See Restricting the mappings.
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
|
Anant.v |
Posted: Tue Sep 26, 2017 11:43 am Post subject: |
|
|
Apprentice
Joined: 26 Nov 2014 Posts: 40 Location: Malaysia
|
Hi Peter,
Apologies to open up an old thread,
We are also using MQAUSX sec exit. Is there a way in it to mention that a successful connection will only occur if a specific user tries to connect from a specific IP ?
We are not in a position to utilize CHLAUTH for this particular qmgr |
|
Back to top |
|
|
RogerLacroix |
Posted: Fri Sep 29, 2017 2:37 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001 Posts: 3258 Location: London, ON Canada
|
Anant.v wrote: |
Hi Peter,
Apologies to open up an old thread,
We are also using MQAUSX sec exit. Is there a way in it to mention that a successful connection will only occur if a specific user tries to connect from a specific IP ?
We are not in a position to utilize CHLAUTH for this particular qmgr |
It would be far, far better to send your MQAUSX questions to support@capitalware.com as I'll answer it immediately rather than wait for me or anyone else to answer it here.
The MQAUSX download archive includes all of the manuals and you can find the latest manuals here: http://www.capitalware.com/mqausx_manuals.html
Open the MQAUSX Server-side Installation and Operation manual and go to the section called: "Allow or Restrict the Incoming UserID". In the current version of the manual, it is section 5.15. To allow only certain UserIds, you need to use the following keywords:
Code: |
UseAllowUserID=Y
AllowUserID=fred;barney;wilma;betty |
Regards,
Roger Lacroix
Capitalware Inc. _________________ Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
Back to top |
|
|
|