| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Issue with creating chlauth for a new channel |
« View previous topic :: View next topic » |
| Author |
Message
|
| jeevan |
 Posted: Sat Nov 24, 2012 11:04 am Post subject: Issue with creating chlauth for a new channel |
 |
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
Hi All,
I created one channel let say, CHANNELA on a queue manager on Windows server(mq7.5). I also set mcauser of CHANNELA to usr123
on my linux box (with mq 7.5 installed on it) I set up MQSERVER variable
On windows, I created a user called usr123 and set following authrec
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL(usr123) AUTHADD(CONNECT,INQ,DSP)
SET AUTHREC PROFILE(TEST.QLOCAL) OBJTYPE(QUEUE) PRINCIPAL(usr123) AUTHADD(PUT)
With these setup, I can put a message to a queue in windows qmgr logging as user456 in my linux
Now, I am creating a chlauth record
SET CHLAUTH('CHANNELA') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) WARN(NO) ACTION(ADD)
This should block all user from all ips to access this channel. I verified this as I can not put message from usr456 now.
Now, I am creating another chlauth record to allow an inbound request from a particular ip( of my linux box)
I did this
SET CHLAUTH('CHANNELA') TYPE(ADDRESSMAP) ADDRESS('IP of my linux box') USERSRC(CHANNEL) DESCR('Channel auth Rule for allowing a inbound request from an ip') ACTION(ADD)
When I tried amqsputc, it fails with 2035.
Did I miss anything ?
I assume the following while creating two chlauth records.
All system channel are blocked for all user so any new user channel I need to block access for all user and from all ip first and then allow whatever I like. Based on this, I created two chlauth records - one to block all and one to allow a particular ip. |
|
| Back to top |
|
 |
| exerk |
| Posted: Sat Nov 24, 2012 3:55 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Read the Interaction between channel authentication records section HERE.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jeevan |
| Posted: Sat Nov 24, 2012 4:21 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| exerk wrote: |
| Read the Interaction between channel authentication records section HERE. |
my questions is not how to do or what can I do. I can read these but when I applied one rule, a piece of it work but not the other.
Blocking works as expected but not allow. so needed another pair of eyes to look at |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Nov 25, 2012 3:41 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
The point I was making is that the rules are applied in a strict hierarchy, and that section of the Info Centre tells you the order of that hierarchy. Have you tried disabling the first rule and seeing what effect that has on your second rule?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jeevan |
| Posted: Sun Nov 25, 2012 1:58 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| exerk wrote: |
| The point I was making is that the rules are applied in a strict hierarchy, and that section of the Info Centre tells you the order of that hierarchy. Have you tried disabling the first rule and seeing what effect that has on your second rule? |
The second rule,
| Quote: |
| SET CHLAUTH('CHANNELA') TYPE(ADDRESSMAP) ADDRESS('IP of my linux box') USERSRC(CHANNEL) DESCR('Channel auth Rule for allowing a inbound request from an ip') ACTION(ADD) |
does not do anything which is true. Because this channel is already opened for all why do we need an specific rule to allow a particular ip?
Let me repeat repeat assumptions and further questions
1. assumption 1
The system channels are blocked by
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
I verified this creating a new user which is not in mqm group.
2. assumption 2
Any new user channel ( a channel created by mq admin ), has to be blocked first and then start opening it as needed. The opening should be on based on IP.
I applied the first rule, SET CHLAUTH('CHANNELA') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) WARN(NO) ACTION(ADD) based on this assumption.
3. assumption 3
Opening a channel should be based on an IP and, we can allow the user inserted in channel or can map it to a mcauser
based on this, I created the second rule
the IBM document says,
Where a number of channel authentication records match a channel name, IP address, queue manager name, or SSL or TLS DN, the most specific match is used. The match considered to be most specific is determined as follows.
Based on this my second rule should come into effect and the ip address of my unix box has to be allowed to make connection.
Also, the preapplied rule
set CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
is to open the sytem admin svrconn channel for any id inserted by channel. The only different between this and my second rule is that this has allowed all ip(*), whereas I have allowed only particular ip. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Nov 25, 2012 6:06 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
The reason why a channel does not run will appear in the qmgr error logs. This should indicate which chlauth is coming into play.
_________________
Glenn |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
