| Author |
Message
|
| srinivas Raju |
 Posted: Mon Jun 25, 2007 10:32 pm Post subject: Connection refused, Channel [SYSTEM.ADMIN.SVRCONN] |
 |
|
Novice
Joined: 20 Feb 2007
Posts: 22
Location: India
|
Hai.
In my solution i am using BlockIP2 security exit to secure Server connection channel from inrodures
i have written one test file which have code
Patterns=10.1.54.136
Userids=sreenu
and saved above file in /var/mqm/exits/--
above specified ip is my machine ip and sreenu is my userid.
and in server connection channel, given security data and security exits
as follows
alter channel(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) scydata('FN=/var/mqm/exits/blockip2.txt;') scyexit('/var/mqm/exits/BlockIP2(BlockExit)')
after this restarted Qmgr
but while trying to access channel through java application it's giving following log
2007-06-25|12:33:02|Channel onnection accepted, Channel [SYSTEM.ADMIN.SVRCONN] ConName [10.1.54.136] Flags [] User [sreenu]
2007-06-25|12:42:43|Connection refused, Channel [SYSTEM.ADMIN.SVRCONN] ConName [10.1.54.136] User [] not in positive list [sreenu,mqm,root,]
2007-06-25|12:42:43|Channel closed [SYSTEM.ADMIN.SVRCONN] Connection Name [10.1.54.136]
please clear me about this error. what it means user[] not in positive list
thanks
Raju |
|
| Back to top |
|
 |
| mehedi |
| Posted: Mon Jun 25, 2007 11:03 pm Post subject: The userid is [] blank |
|
|
Centurion
Joined: 11 Nov 2001
Posts: 102
Location: PSTech
|
Sreeni
According to the message the userid being supplied by the java app is [] (blank).
2007-06-25|12:42:43|Connection refused, Channel [SYSTEM.ADMIN.SVRCONN] ConName [10.1.54.136] User [] not in positive list [sreenu,mqm,root,]
Is your app using JMS or MQ Api ?
MQ API
(1) set the MQMD.Userid field if you are using MQ Api,
JMS API
(2) if you are using JMS Api you cannot (JMS specs don't allow this) set the Userid field from the app. When configuring the QCF set the Userid and Password parameters .
Regards
Mehedi |
|
| Back to top |
|
|
| mehedi |
| Posted: Tue Jun 26, 2007 11:49 am Post subject: For MQMQ.Userid is to be used for authorization check on ch |
|
|
Centurion
Joined: 11 Nov 2001
Posts: 102
Location: PSTech
|
Sreeni,
the channel attribute PUT Authorithy needs to be set to CTX for using MQ API and the option suggested.
Mehedi |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Jun 26, 2007 12:00 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Mehedi -
There's almost never a good reason to set PUTAUT to CTX for an MQ channel. And it certainly doesn't apply in this case - CTX means "use the user that the OS supplied" - in this case there is no user supplied!
It's always better to set an MCAUser.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jun 26, 2007 12:10 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
|
| Back to top |
|
|
| mehedi |
| Posted: Tue Jun 26, 2007 8:19 pm Post subject: PUTAUT - Intercommunication manual |
|
|
Centurion
Joined: 11 Nov 2001
Posts: 102
Location: PSTech
|
Jeff ,
Srini is trying to connect using his id , the recevier channel mca userid is set to blank. I think he wants to desist from setting the mca userid , and have each app/userid connecting to this channel be checked for authorization. I follow your reasons for suggesting the mca userid be set on the receiver channel , and granting this user id authorizations for connecting to the QM and needed queues.
Here is the excerpt from the Intercommunication manual on PUTAUT
PUT authority (PUTAUT)
Use this attribute to choose the type of security processing to be carried out by the MCA when executing:
An MQPUT command to the destination queue (for message channels) , or
An MQI call (for MQI channels).
You can choose one of the following:
Process security, also called default authority (DEF)
The default user ID is used.
On platforms with Process security, you choose to have the queue security based on the user ID that the process is running under. The user ID is that of the process or user running the MCA at the receiving end of the message channel.
The queues are opened with this user ID and the open option MQOO_SET_ALL_CONTEXT.
Context security (CTX)
The alternate user ID is used from the context information associated with the message.
The UserIdentifier in the message descriptor is moved into the AlternateUserId field in the object descriptor. The queue is opened with the open options MQOO_SET_ALL_CONTEXT and MQOO_ALTERNATE_USER_AUTHORITY.
The user ID used to check open authority on the queue for MQOO_SET_ALL_CONTEXT and MQOO_ALTERNATE_USER_AUTHORITY is that of the process or user running the MCA at the receiving end of the message channel. The user ID used to check open authority on the queue for MQOO_OUTPUT is the UserIdentifier in the message descriptor.
Regards
Mehedi |
|
| Back to top |
|
|
| srinivas Raju |
| Posted: Tue Jun 26, 2007 8:48 pm Post subject: |
|
|
Novice
Joined: 20 Feb 2007
Posts: 22
Location: India
|
Hai all.
Good Morning. My problem has been solved.
Procedure as follows.
i copied BlockIP2 exit into /var/mqm/exits/BlockIP2
then i have writen one script file, which will consists of
Pattern=IP add list
UserIDs=client machine userids
copied this file into /var/mqm/exits/blockip2.txt
next configure server connection as follows
alter channel(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) scydata('FN=/var/mqm/exits/blockip2.txt;') scyexit('/var/mqm/exits/BlockIP2(BlockExit)')
by this the channel accepts only IPs specifies in patterns and userid specified in UserIDs list. here both IP and userID should match then only connect accepted.
next i have java application developed using MQ API. This could fire MQ API calls. by default this is carrying IP of client machine but not userID.
so we have to environment variable manually.
String username = System.getProperty("user.name");
MQEnvironment.userID=username;
these 2 line should add in code.
Now my application able to carry both machine IP and User Id.
here BlockIP2 verify both, If verification success it will connection to server connection channel otherwise connection refused.
With above solution, even if somebody trying to connect by using original IP, it will verify userid also. so automatically connection refuse.
Here my assumption is : in the domain normal users could not create userids and machine would't accept duplicate userids
Jow is this solution. is this feasible?
please let me know if any thing need to be changed.
thanks
Raju |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jun 27, 2007 2:00 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If you have admin rights to the machine you can always create a userid local to the machine (no dups with domain) and logon to the machine with that userid. Then ip and userid would match?
If you want it that secure you should require a digital certificate (SSL) that provides the userid...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Jun 27, 2007 9:25 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| srinivas Raju wrote: |
Here my assumption is : in the domain normal users could not create userids and machine would't accept duplicate userids
Jow is this solution. is this feasible? |
Hi,
BlockIP can ONLY filter a connection by IP address and / or UserId. As you have shown, it is easy to set a UserId in MQ. Also, anyone with a good networking background can easily spoof an IP address.
If you want to authenticate an incoming UserId and password then there are only 3 solutions available:
1. Capitalware's MQ Authenticate User Security Exit
2. IBM's WebSphere MQ Extended Security Edition V6
3. Primeur's Data Secure for WebSphere MQ
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Jun 27, 2007 4:04 pm Post subject: Re: For MQMQ.Userid is to be used for authorization check on |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| mehedi wrote: |
Sreeni,
the channel attribute PUT Authorithy needs to be set to CTX for using MQ API and the option suggested.
Mehedi |
PUTAUT is not applicable for SVRCONN channels.
And its useless for the channel types it does apply to.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mehedi |
| Posted: Wed Jun 27, 2007 9:09 pm Post subject: |
|
|
Centurion
Joined: 11 Nov 2001
Posts: 102
Location: PSTech
|
Peter,Jeff
I stand corrected - Thanks |
|
| Back to top |
|
|
|
|
