ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Sort of like really confused on some CHLAUTH behaviour!?

Post new topic  Reply to topic
 Sort of like really confused on some CHLAUTH behaviour!? « View previous topic :: View next topic » 
Author Message
smeunier
PostPosted: Wed Jul 24, 2013 7:58 am    Post subject: Sort of like really confused on some CHLAUTH behaviour!? Reply with quote

Partisan

Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
The basics:

AIX 6.1
MQ 7.5.0.1

The issue:
Difficulty allowing authorized users in on SVRCONN channels.

What is in place:
The 3 default rules with 7.5 installation
Morag backstop rule recommendation:

Code:
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule') WARN(YES)


The following SVRCONN rule, which seems to fail:

Code:
AMQ8878: Display channel authentication record details.
   CHLAUTH(TCI002.SVRCONN)                 TYPE(USERMAP)
   DESCR(Allow userid:tciscva to use channel)
   CUSTOM( )                               ADDRESS(9.61.*)
   CLNTUSER(tcisvca)                       MCAUSER(tcisvca)
   USERSRC(MAP)                            ALTDATE(2013-07-24)
   ALTTIME(10.46.23)


When I run a test to see if a request would be blocked with that id(tcisvca) it comes back with:
Code:
    17 : DISPLAY CHLAUTH('TCI002.SVRCONN') MATCH(RUNCHECK) ALL ADDRESS('9.61.13.156') CLNTUSER('tcisvca')
AMQ8878: Display channel authentication record details.
   CHLAUTH(*)                              TYPE(BLOCKUSER)
   DESCR(Default rule to disallow privileged users)
   CUSTOM( )                               USERLIST(*MQADMIN)
   WARN(NO)                                ALTDATE(2013-07-18)
   ALTTIME(09.16.10)


However if I run the test with any other id it appears to pass:
Code:
    20 : DISPLAY CHLAUTH('TCI002.SVRCONN') MATCH(RUNCHECK) ALL ADDRESS('9.61.13.156') CLNTUSER('jughead')
AMQ9783: Channel will run using MCAUSER('jughead').


So I'm like confused as to why the whitelist rule I have in place to allow access fails, when everything that should be blacklisted appears to pass. Am I looking at this wrong?

Here is the log error I'm trying to solve for:

Code:
AMQ9776: Channel was blocked by userid

EXPLANATION:
The inbound channel 'TCI002.SVRCONN' was blocked from address '9.61.13.156'
because the active values of the channel were mapped to a userid which should
be blocked. The active values of the channel were 'MCAUSER(tcisvca)
CLNTUSER()'.


The SVRCONN channel has no value set for the MCAUSER attribute.

And yes, I have looked at the manuals, forums, and other related articles. I don't understand the mixed messages/meaning I get when I run a MATCH(RUNCHECK) nor why my rules don't seem to allow that connection to pass in. One last bit of information, is that the mqm group contains only the mqm id so the id should not be blocked by the *MQADMIN rule, which I think it is.

Thanks in advance for commentary, hints, suggestions, etc.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Wed Jul 24, 2013 6:27 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722
Let me take a crack at this...

Quote:
Morag backstop rule recommendation:

Code:
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule') WARN(YES)


That's not blocking anything, because its in warn mode. So that's why jughead gets past.

Quote:



When I run a test to see if a request would be blocked with that id(tcisvca) it comes back with:
Code:
17 : DISPLAY CHLAUTH('TCI002.SVRCONN') MATCH(RUNCHECK) ALL ADDRESS('9.61.13.156') CLNTUSER('tcisvca')
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
DESCR(Default rule to disallow privileged users)
CUSTOM( ) USERLIST(*MQADMIN)
WARN(NO) ALTDATE(2013-07-1
ALTTIME(09.16.10)

Quote:
One last bit of information, is that the mqm group contains only the mqm id so the id should not be blocked by the *MQADMIN rule, which I think it is.

*MQADMIN is not just the mqm group. Its any Privileged User that gets blocked. Under the USERLIST section of this link:
http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.ref.adm.doc/q086630_.htm
follow the link to what Privileged Users are. Maybe your tcisvca ID is considered a Privileged ID, despite it not being in mqm, and that's why its blocked.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jul 25, 2013 2:11 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
I suspect Peter has nailed it.

Yes, the reason we use the phrase privileged instead of 'mqm-group' or something with "mqm" in it is to remind you that, on Windows, there are other user IDs that have these privileges and these are *ALL* blocked by *MQADMIN.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
smeunier
PostPosted: Thu Jul 25, 2013 6:16 am    Post subject: Reply with quote

Partisan

Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
Eye opening information on the privileged users with regards to their granted authorities. I will have to dig into those id's deeper to see what their settings are.

In regards to the id: "jughead" I'm still surprised that this was valid, since the id does not even exist in reality. I just threw it in for a whatif situation. But, I could see how it could pass, since it is not in the mqm group and there would be no granted authorities against it because the id does not exist either.

I'll investigate the failing id authorities..thanks
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Thu Jul 25, 2013 10:50 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
If you add a more specific BLOCK rule to the channel specifically say to block ('mqm'), then this will override the '*' all channels rule.

I think BLOCK rules get evaluated last.
Back to top
View user's profile Send private message AIM Address
hughson
PostPosted: Fri Jul 26, 2013 1:10 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
JosephGramig wrote:
I think BLOCK rules get evaluated last.


BLOCKADDR rules get evaluated first.

BLOCKUSER rules get evaluated last.

All the rest in between with the various precedence orders. This includes USERSRC(NOACCESS) which are also blocking.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Sort of like really confused on some CHLAUTH behaviour!?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.