| Author |
Message
|
| pardhunani143 |
 Posted: Sat Jul 27, 2013 11:06 am Post subject: BlockIp2 precedence |
 |
|
Novice
Joined: 23 Jul 2013
Posts: 22
|
Can someone please explain if BlockIP2 precedence with an example ???
I couldnot get much details from BlockIP2 website |
|
| Back to top |
|
 |
| Tibor |
| Posted: Sun Jul 28, 2013 10:03 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| BlockIP2 is a security exit, so you can find more information about the channel exits in the Infocenter. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Mon Jul 29, 2013 4:44 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
|
| Back to top |
|
|
| Tibor |
| Posted: Mon Jul 29, 2013 5:01 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| JosephGramig wrote: |
| Upgrade to WebSphere MQ 7.1/7.5 and use CHLAUTH rules. |
The logging feature is not implemented (yet), so we stay at BlockIP2 side... |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Jul 29, 2013 5:07 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
As far as I know, BlockIP2 stops matching the conditions in the INI file as soon as one matches. This is documented in the BlockIP2 manual.
So you need to put the most specific ones before the least specific ones in the file.
At the very end you might want something like this (in case nothing else has matched).
Read the PDF supplied with the exit. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jul 29, 2013 5:49 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Tibor wrote: |
| JosephGramig wrote: |
| Upgrade to WebSphere MQ 7.1/7.5 and use CHLAUTH rules. |
The logging feature is not implemented (yet), so we stay at BlockIP2 side... |
Use them both, i.e. put the CHLAUTH rules in now, then when you retire BlockIP2 you only have to remove the relevant channel exit attributes. It also means that you are not unprotected while you make the switch. All the testing I have done so far proves they peacefully co-exist.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Mon Jul 29, 2013 7:17 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| Tibor wrote: |
| JosephGramig wrote: |
| Upgrade to WebSphere MQ 7.1/7.5 and use CHLAUTH rules. |
The logging feature is not implemented (yet), so we stay at BlockIP2 side... |
You probably can add a rule that would always be violated but put it in WARN mode, so it does not take effect. That might provide the logging you are looking for... |
|
| Back to top |
|
|
| pardhunani143 |
| Posted: Mon Jul 29, 2013 7:04 pm Post subject: |
|
|
Novice
Joined: 23 Jul 2013
Posts: 22
|
BlockIP2 PDF file provides the information how sequencing is done in BlockIP2
In this order:
1. ProcessFile() See if configuration contains syntax errors.
2. CheckRunningChannels() See if channel limit is ok.
3. CheckConnectionPattern() see if the presented IP-address is accepted.
4. CheckBlockedUserId() see if we have a blocked user..
5. CheckUserId() see if user is in the positive list, if used.
6. CheckCONList() See if we have a CON= match, if used.
7. CheckSSLList() see if we have SSL= match, if used.
8. CheckBlankUser() check if we have a blank user..
9. CheckInvalidUsers() Check for special users...
Please explain the following
1.What is difference between sequencing and Precedence .Where does BlockIP2 fits in ?
2.Does BlockIP2 has precedence over different keywords if so what were they?
why am i asking for the information
I am doing research in comparing BlockIP2 and CHLAUTH and will submit an article in IBM Developer works soon
please help me ..
 |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jul 29, 2013 11:08 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| pardhunani143 wrote: |
| What is difference between sequencing and Precedence? |
From the Oxford English dictionary:
PRECEDENCE: priority in importance, order, or rank
SEQUENCE: a particular order in which related things follow each other
Pretty much, in this case, they can be considered synonyms of each other.
Also, note what I stated in a previous post...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Jul 29, 2013 11:16 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
We mainly use the CON feature of BlockIP2 - and note that this can also match blank userids (if they haven't been globally blocked).
For example, I can say if a blank userid (a common problem with Java applications) comes in from a certain IP address (and note that DNS names can be used), then assign a certain MCAUSER value.
I would caution against writing an article purely based on assumptions from reading a manual, you should get some actual experience with using BlockIP2 first. The documentation is far from perfect and some of the examples given are not particularly clear. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jul 30, 2013 6:51 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| pardhunani143 wrote: |
why am i asking for the information
I am doing research in comparing BlockIP2 and CHLAUTH and will submit an article in IBM Developer works soon
please help me .. |
Don't forget to list us all as coauthors. |
|
| Back to top |
|
|
| Tibor |
| Posted: Wed Jul 31, 2013 2:45 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
@mqjeff:  |
|
| Back to top |
|
|
| pardhunani143 |
| Posted: Thu Aug 08, 2013 11:36 pm Post subject: |
|
|
Novice
Joined: 23 Jul 2013
Posts: 22
|
I have installed MQ V7.1 on windows and configured BlockIP2 on server conection channel .I tried to ran some scenarios but couldnot find the BlockIP2 log file .
I am using default log path for BlockIP2 log and i couldnot find the log file in :C:\Program Files (x86)\IBM\WebSphere MQ\exits
plese help |
|
| Back to top |
|
|
| Tibor |
| Posted: Thu Aug 08, 2013 11:48 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| Didn't you find any error in the queue manager error log files? |
|
| Back to top |
|
|
| pardhunani143 |
| Posted: Fri Aug 09, 2013 1:52 am Post subject: |
|
|
Novice
Joined: 23 Jul 2013
Posts: 22
|
| No errors received.did BlockIP2 supports for MQ V7.1 . |
|
| Back to top |
|
|
|
|
