| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| BLOCKIP on ZOS - Userid Case |
View previous topic :: View next topic |
| Author |
Message
|
| mbyfield |
 Posted: Fri Dec 15, 2006 3:43 am Post subject: BLOCKIP on ZOS - Userid Case |
 |
|
Newbie
Joined: 13 May 2005
Posts: 7
Location: Location: Location:
|
Dear MQ Gurus,
I've installed BLOCKIP v2.55 on ZOS with MQV6 as we need an exit to prevent connections with blank userids and it seems to be just what we are looking for.
This is the first time we have installed BLOCKIP here and it works but for one small problem that I wondered if anyone else had encountered.
When I connect from a Windows machine that I have set up BLOCKIP to block, then all is well and the user gets rc 2059 on the MQCONN.
But when I set up BLOCKIP to allow that IP address to connect, somewhere the userid is changed to lower case and RACF then doesn't recognise him, so the user gets rc 2035 on the MQOPEN.
When blocked....
===========
Windows:
U:\>amqsputc IVP.INST.QL.Q1 QI01
Sample AMQSPUT0 start
MQCONN ended with reason code 2059
BLOCKIP debug output:
2006-12-14|16:18:54|ConName is now Ý10.128.176.166¨
2006-12-14|16:18:54|======= INIT ======
2006-12-14|16:18:54|lMaxChannelActive is now -1 (before channel check)
2006-12-14|16:18:54|Return status Exitresponse=0
2006-12-14|16:18:54|======= Start INIT_SEC ======
2006-12-14|16:18:54|ver=2.55 env=MVS ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT_SEC ChannelType=MQCHT_SVRCONN
2006-12-14|16:18:54|BlockExit QMgr=ÝQI01¨ ChannelName=ÝQI01.CLIENT.S1¨ ConnName=Ý10.128.176.166¨ Uid=ÝD18185¨ pDataLength=0
2006-12-14|16:18:54|RemUID Before strupr ÝD18185¨
2006-12-14|16:18:54|RemUID After strupr ÝD18185¨
2006-12-14|16:18:54|CheckConnectionPattern()
2006-12-14|16:18:54|Pattern Ý10.128.175.*;¨ ipÝ10.128.175.*¨ j 12
2006-12-14|16:18:54|Connection refused for pattern Ý10.128.175.*;¨ ChannelName=ÝQI01.CLIENT.S1¨ user=ÝD18185¨ ConnName=Ý10.128.176.166¨
2006-12-14|16:18:54|Connection failure!
2006-12-14|16:18:54|======= TERM ======
2006-12-14|16:18:54|Channel closed ÝQI01.CLIENT.S1¨ Connection Name Ý10.128.176.166¨
2006-12-14|16:18:54|Before Free
2006-12-14|16:18:54|Free success
ZOS Syslog:
+CSQX500I QI01 CSQXRESP Channel QI01.CLIENT.S1 started
+BLOCKIP-07E Connection refused CHL=QI01.CLIENT.S1 CONN= USER=D18185
+BLOCKIP-99I Channel closed QI01.CLIENT.S1 Connection Name 10.128.176.166
+CSQX536I QI01 CSQXRESP Channel QI01.CLIENT.S1 stopping because of request by exit BLOCKIP2
+CSQX599E QI01 CSQXRESP Channel QI01.CLIENT.S1 ended abnormally
When allowed....
==========
Windows:
U:\>amqsputc IVP.INST.QL.Q1 QI01
Sample AMQSPUT0 start
target queue is IVP.INST.QL.Q1
MQOPEN ended with reason code 2035
unable to open queue for output
Sample AMQSPUT0 end
BLOCKIP debug output:
2006-12-14|16:20:28|ConName is now Ý10.128.176.166¨
2006-12-14|16:20:28|======= INIT ======
2006-12-14|16:20:28|lMaxChannelActive is now -1 (before channel check)
2006-12-14|16:20:28|Return status Exitresponse=0
2006-12-14|16:20:28|======= Start INIT_SEC ======
2006-12-14|16:20:28|ver=2.55 env=MVS ExitId=MQXT_CHANNEL_SEC_EXIT ExitReason=MQXR_INIT_SEC ChannelType=MQCHT_SVRCONN
2006-12-14|16:20:28|BlockExit QMgr=ÝQI01¨ ChannelName=ÝQI01.CLIENT.S1¨ ConnName=Ý10.128.176.166¨ Uid=ÝD18185¨ pDataLength=0
2006-12-14|16:20:28|RemUID Before strupr ÝD18185¨
2006-12-14|16:20:28|RemUID After strupr ÝD18185¨
2006-12-14|16:20:28|CheckConnectionPattern()
2006-12-14|16:20:28|Pattern Ý10.128.176.*;¨ ipÝ10.128.176.*¨ j 12
2006-12-14|16:20:28|pattern Ý10.128.176.*¨, ConName Ý10.128.176.166¨ passed test..
2006-12-14|16:20:28|Users: ݨ len Ý0¨ 0
2006-12-14|16:20:28|CheckCONList()
2006-12-14|16:20:28|CheckSSLList()
2006-12-14|16:20:28|CheckBlankUser()
2006-12-14|16:20:28|Connection accepted, Channel ÝQI01.CLIENT.S1¨ ConName Ý10.128.176.166¨ Pattern Ý10.128.176.*;¨ Flags ÝUseridUpperLowerCase=* ¨ User ÝD18185¨
2006-12-14|16:20:28|Return status Exitresponse=0
2006-12-14|16:20:28|======= TERM ======
2006-12-14|16:20:28|Channel closed ÝQI01.CLIENT.S1¨ Connection Name Ý10.128.176.166¨
2006-12-14|16:20:28|Before Free
2006-12-14|16:20:28|Free success
ZOS Syslog:
+CSQX500I QI01 CSQXRESP Channel QI01.CLIENT.S1 started
+BLOCKIP-50I Connection accepted CHL=QI01.CLIENT.S1 CONN= USER=D18185
ICH408I USER(d18185 ) GROUP( ) NAME(??? )
LOGON/JOB INITIATION - USER AT TERMINAL NOT RACF-DEFINED
IRR012I VERIFICATION FAILED. USER PROFILE NOT FOUND.
+BLOCKIP-99I Channel closed QI01.CLIENT.S1 Connection Name 10.128.176.166
+CSQX501I QI01 CSQXRESP Channel QI01.CLIENT.S1 is no longer active
Without BLOCKIP the user can connect and open with no complaint from RACF.
I've tried using the UseridUpperLowerCase parm, but this didn't solve it. Am I going to have to delve into the C code or is there another parm I can use? Any ideas?
Thanks,
Max |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Dec 15, 2006 4:00 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Maybe you need to change something there:
Flags ÝUseridUpperLowerCase=*
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mbyfield |
| Posted: Fri Dec 15, 2006 4:56 am Post subject: |
|
|
Newbie
Joined: 13 May 2005
Posts: 7
Location: Location: Location:
|
Yes, after I first got this error I set that flag. The manual just says "UseridUpperLowerCase=*; Swift off case sensitivity, fold any matching to uppercase."
Is there some other usage of this flag that will help? |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Sun Dec 17, 2006 11:09 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
It seems first like there is a minor config problem.... (might be caused by some IP-address translation, or just a typo).
| Quote: |
| 2006-12-14|16:18:54|Connection refused for pattern Ý10.128.175.*;¨ ChannelName=ÝQI01.CLIENT.S1¨ user=ÝD18185¨ ConnName=Ý10.128.176.166¨ |
You come from 10.128.176.166 and your pattern is set to 10.128.175.* allowing only connections from this address.
Try change the filter to the right address. And I would expect it to work.
-- Lock it or Lose it -- 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| mbyfield |
| Posted: Mon Dec 18, 2006 3:23 am Post subject: |
|
|
Newbie
Joined: 13 May 2005
Posts: 7
Location: Location: Location:
|
| oz1ccg wrote: |
You come from 10.128.176.166 and your pattern is set to 10.128.175.* allowing only connections from this address.
Try change the filter to the right address. And I would expect it to work.
|
Hi Jørgen,
Yes, but you're looking at the debug output from the first test, where I deliberately set the filter wrongly to prove that it does block that IP. In the second test, where I set the filter to the right address, so it allows the connection, that's when I run into this userid case problem.
Please have a look again at my original mail, starting from where it says:
| mbyfield wrote: |
When allowed....
==========
|
Many thanks,
Max |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Mon Dec 18, 2006 3:33 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Well, no problem, I should have read your note a bit more carefull.. 
Could you please show me the channel definition ?
DIS CHL(QI01.CLIENT.S1) ALL
-- Lock it or Lose it
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| mbyfield |
| Posted: Tue Dec 19, 2006 12:41 am Post subject: |
|
|
Newbie
Joined: 13 May 2005
Posts: 7
Location: Location: Location:
|
| oz1ccg wrote: |
Could you please show me the channel definition ?
DIS CHL(QI01.CLIENT.S1) ALL |
Here he is....
CSQM201I QI01 CSQMDRTC DIS CHANNEL DETAILS
CHANNEL(QI01.CLIENT.S1)
CHLTYPE(SVRCONN)
QSGDISP(QMGR)
TRPTYPE(TCP)
DESCR(xxxxxxxx client connection)
DISCINT(0)
SCYEXIT(BLOCKIP2)
SCYDATA(FN=DD:BLOCKDD;-d)
SENDEXIT( )
SENDDATA( )
RCVEXIT( )
RCVDATA( )
PUTAUT(DEF)
KAINT(AUTO)
MONCHL(QMGR)
ALTDATE(2006-12-14)
ALTTIME(16.18.49)
SSLCAUTH(REQUIRED)
SSLCIPH( )
SSLPEER( )
MCAUSER( )
MAXMSGL(104857600)
COMPHDR(
NONE
)
COMPMSG(
NONE
)
HBINT(300)
END CHANNEL DETAILS
Cheers,
Max |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
