| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Channel Auth rule to bypass connauth |
« View previous topic :: View next topic » |
| Author |
Message
|
| Mo |
 Posted: Mon Jan 27, 2025 3:12 pm Post subject: Channel Auth rule to bypass connauth |
 |
|
Novice
Joined: 02 Apr 2010
Posts: 17
Location: IL USA
|
I know we can have a channel auth to set the channel to provide a password for authentication when the connauth is set to OPTIONAL.
But I am wondering , if we can have a way to ignore the connauth being set to REQUIRED for a specific server connection channel. That is , an app using one specific channel can connect to a Qmgr even with a bad pwd when the connauth is set to either OPTIONAL or REQUIRED |
|
| Back to top |
|
 |
| zpat |
| Posted: Tue Jan 28, 2025 1:54 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
It would be useful to have this option. I expect many older QMs (especially mainframes) do not have connauth enabled. The problem being there is no way to exempt certain userids or channels from it.
Therefore switching it on would cause older apps which are using invalid passwords to fail. Back in the days when passwords were not checked - applications could (and did) code anything.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Mo |
| Posted: Tue Jan 28, 2025 4:58 am Post subject: |
|
|
Novice
Joined: 02 Apr 2010
Posts: 17
Location: IL USA
|
| zpat wrote: |
It would be useful to have this option. I expect many older QMs (especially mainframes) do not have connauth enabled. The problem being there is no way to exempt certain userids or channels from it.
Therefore switching it on would cause older apps which are using invalid passwords to fail. Back in the days when passwords were not checked - applications could (and did) code anything. |
we are in this exact situation at this time. A shared Qumgr needs connauth to be turned on., but few apps connecting to this qmgr do not have the cycles/funds to do any testing or do not want to make changes as they are scheduled for sunset. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Jan 28, 2025 3:53 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
<Vendor_Plug>
Capitalware has a solution called MQAUSX (MQ Authenticate User Security Exit) that can solve your issue(s) and MQAUSX is highly configurable. It has been available since 2005 (long before connauth was introduced in MQ v8.0).
1. You can pick and choose which channels have full authentication or support UserIds only (no password). You can even have some channels connect without UserId & Password, IP filter can be used for verification.
2. You can pick and choose which channels will perform local OS authentication vs LDAP authentication (MS AD on Windows) or on Unix/Linux which channels support PAM. It also supports File-Based-Auth which is entirely controlled by MQAdmin and is modelled after Unix/Linix /etc/passwd and /etc/group files.
It's available on AIX, HP-UX, IBM i, Linux (x64, Power & zSeries), Solaris, Windows and there is a release for z/OS too.
</Vendor_Plug>
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| Mo |
| Posted: Tue Jan 28, 2025 6:29 pm Post subject: |
|
|
Novice
Joined: 02 Apr 2010
Posts: 17
Location: IL USA
|
| RogerLacroix wrote: |
<Vendor_Plug>
Capitalware has a solution called MQAUSX (MQ Authenticate User Security Exit) that can solve your issue(s) and MQAUSX is highly configurable. It has been available since 2005 (long before connauth was introduced in MQ v8.0).
1. You can pick and choose which channels have full authentication or support UserIds only (no password). You can even have some channels connect without UserId & Password, IP filter can be used for verification.
2. You can pick and choose which channels will perform local OS authentication vs LDAP authentication (MS AD on Windows) or on Unix/Linux which channels support PAM. It also supports File-Based-Auth which is entirely controlled by MQAdmin and is modelled after Unix/Linix /etc/passwd and /etc/group files.
It's available on AIX, HP-UX, IBM i, Linux (x64, Power & zSeries), Solaris, Windows and there is a release for z/OS too.
</Vendor_Plug>
Regards,
Roger Lacroix
Capitalware Inc. |
Thank you . I did not think about the channel exit. Does the channel exit MQAUSX work in conjunction with connauth ? |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Jan 28, 2025 10:25 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| Mo wrote: |
| I did not think about the channel exit. Does the channel exit MQAUSX work in conjunction with connauth ? |
MQAUSX is a Channel Security Exit. No, when you install MQAUSX, you disable CONNAUTH and use MQAUSX exclusively; otherwise, you will end up in the same situation.
CONNAUTH is a single solution that is, by default, used across all channels regardless if you are using a Channel Security Exit or not.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jan 30, 2025 6:06 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| RogerLacroix wrote: |
| Mo wrote: |
| I did not think about the channel exit. Does the channel exit MQAUSX work in conjunction with connauth ? |
MQAUSX is a Channel Security Exit. No, when you install MQAUSX, you disable CONNAUTH and use MQAUSX exclusively; otherwise, you will end up in the same situation.
CONNAUTH is a single solution that is, by default, used across all channels regardless if you are using a Channel Security Exit or not.
Regards,
Roger Lacroix
Capitalware Inc. |
Not quite. You can set the lowest set up for connauth on a qmgr, upgrade it by default using a generic chlauth entry and set it back to the lowest level using a targeted chlauth entry for that particular channel (as qmgr).
What I haven't tried is setting it to none on the connauth and reqadm on the default chlauth. Usually the lowest setting I've used is optional...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jan 30, 2025 3:52 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| fjb_saper wrote: |
Not quite. You can set the lowest set up for connauth on a qmgr, upgrade it by default using a generic chlauth entry and set it back to the lowest level using a targeted chlauth entry for that particular channel (as qmgr).
What I haven't tried is setting it to none on the connauth and reqadm on the default chlauth. Usually the lowest setting I've used is optional... |
I think you may confuse people.
- CONNAUTH is for authentication of UserId and Password
- CHLAUTH is for filtering of IP addresses or UserIds or LDAP CN values
And yes, it is advisable to use both to secure your queue manager.
The OP question was about having different CONNAUTH values for different channels which is not possible.
Hence, that is why I suggested MQAUSX. MQAUSX supports both authentication AND filtering and the MQAdmin can have different setting for different channels of the SAME queue manager. But, of course, MQAUSX is not free.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| pnusch |
| Posted: Fri Jan 31, 2025 3:38 am Post subject: |
|
|
Newbie
Joined: 17 Aug 2020
Posts: 5
|
It's possible to have different channels with "OPTIONAL" or "REQUIRED" with CHLAUTH-Mapping-Entries.
This needs to have CONNAUTH "OPTIONAL" on qmgr and you can set with CHLAUTH('*') to global REQUIRED with CHCKCLNT(REQUIRED) and can choose with specific CHLAUTH-Entries to OPTIONAL with CHCKCLNT(ASQMGR).
Probably the border of this variant is the specification of "bad pwd" and "without pwd"
You can connect to channels mit CONNAUTH OPTIONAL without pwd but not with bad pwd, because OPTIONAL mean, if you send pair of credentials it must be valid, if you send only userid without pwd you can connect.
What I don't know is, if CHLAUTH-Mapping-Entry with USERSRC(NOACCESS) and WARN(YES) ignored CONNAUTH too.
SET CHLAUTH
Without pwd I testet with own java mq client by don't set the password property.
By requirement with bad pwd, you probably need the way of Channel Security Exit.
With the combination of CONNAUTH and CHLAUTH-Mapping Entries it's possible to authenticate client with credentials and / or with client-certificates (TLS-Peer / Mapping) without exits.
If applications don't send credentials you can use this way too with mapping to specific MCA-User to restrict channels with "OPTIONAL". |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
