| Author |
Message
|
| vanushreevyas |
 Posted: Mon Nov 28, 2011 5:31 am Post subject: BlockIP2 Problems on Linux |
 |
|
Novice
Joined: 28 Nov 2011
Posts: 20
|
Hello,
We have implemented BLOCKIP2 on a single server connection channel on a queue manager on Linux environment for MQ version 7.0.1.3.
BlockIP2 is configured not to allow connection for Blank user id's.
On most of the times BlockIP2 does work as expected and stops the application from establishing a connection.
But sometimes we can see BlockIP2 has not succeeded in refusing the connection. BlockIP2 was implemented a week back and since then we can see atleast 2 connections out of 1000's have been allowed with blank user id (using CHSTADA parameter for server connection channel). Rest all were refused as expected.
Even the BlockIP2 log does not contain any information for these connections.
Is BlockIP2 failing to work under heavy load? Has anyone seen this problem before? If BlockIP2 works for 998 instances of the same channel why wud it not work for just 2?
Thanks and Regards,
Vanu |
|
| Back to top |
|
 |
| zpat |
| Posted: Mon Nov 28, 2011 6:29 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
|
| Back to top |
|
|
| vanushreevyas |
| Posted: Mon Nov 28, 2011 6:42 am Post subject: |
|
|
Novice
Joined: 28 Nov 2011
Posts: 20
|
|
| Back to top |
|
|
| zpat |
| Posted: Mon Nov 28, 2011 6:55 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
There is a way to deal with this. Although I have never seen it happen.
Set the SVRCONN to have mcauser=NoBody (where this id does not exist).
Set the BlockIP2 parms to include these lines at the end. This allows non-blank ids to continue, but if the exit is not called they will fail due to Nobody.
CON=*;BLANK_USERID;BLOCK;
CON=*;*;MCA=*; |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Nov 28, 2011 7:50 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Is it possible that the failures to block are occuring for user id's that are all spaces, rather than nulls? |
|
| Back to top |
|
|
| vanushreevyas |
| Posted: Mon Nov 28, 2011 8:24 am Post subject: |
|
|
Novice
Joined: 28 Nov 2011
Posts: 20
|
| mqjeff - The failure is occuring for null user id's. It seems that the security exit is not getting called once among many connection attempts as there is no logging for connection accepted in the log for BlockIP2. |
|
| Back to top |
|
|
| vanushreevyas |
| Posted: Wed Nov 30, 2011 4:33 am Post subject: |
|
|
Novice
Joined: 28 Nov 2011
Posts: 20
|
Anohter problem I have come across is that I can see connection refused for a particular IP in the BlockIP2 log but at eactly the same time I can see a connection has been established on the channel.
Information from log:
2011-11-30|11:15:19|1674218384| Connection refused for pattern [10.27.66.91;10.27.66.221;10.27.67.27;10.27.66.223;10.27.66.198;] ChannelName=[O.SVRCONN.C1] user=[obtest1] ConnName=[10.231.189.31]
Stats for channel:
CHANNEL(O.SVRCONN.C1) CHLTYPE(SVRCONN)
CHSTADA(2011-11-30) CHSTATI(11.15.19)
CONNAME(10.231.189.31) CURRENT
MCAUSER( ) STATUS(RUNNING)
SUBSTATE(RECEIVE)
BlockIP2.ini file:
QMGR=QM1;
CHANNEL=O.SVRCONN.C1;
Patterns=10.27.66.91,10.27.66.221,10.27.67.27,10.27.66.223,10.27.66.198;
Userids=wlsesbaa,wlsesbau,wlsesbca,wlsescap;
Am wondering if I have missed out something during configuration! |
|
| Back to top |
|
|
|
|
