ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Cannot get CHLAUTH Client ID Mapping to work

Post new topic  Reply to topic Goto page Previous  1, 2, 3
 Cannot get CHLAUTH Client ID Mapping to work « View previous topic :: View next topic » 
Author Message
PeterPotkay
PostPosted: Thu Oct 17, 2013 12:23 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722
Further testing shows that over an open channel with no MCAUSER and no CHLAUTH rule, if I try and access a queue I don’t have authority to access I get the same user ID in lowercase in the MQ error logs. But over the channel blocked by CHLAUTH I get lowercase from work and uppercase from home.


What’s up with that? CHLAUTH sees the ID differently than OAM based on the fact that the client connection is over a VPN?!




From the office, intranet connection, no VPN
Code:
----- amqrmrsa.c : 898 --------------------------------------------------------
10/17/2013 07:23:24 AM - Process(46621.8716) User(mqm) Program(amqzlaa0)
                    Host(myServer) Installation(Installation1)
                    VRMF(7.5.0.2) QMgr(MYQM)
                   
AMQ8077: Entity 'pp12345     ' has insufficient authority to access object
'MY.QUEUE'.

EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: put
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.

From Home over VPN:
Code:
----- amqzfubx.c : 624 --------------------------------------------------------
10/17/2013 03:51:47 PM - Process(46621.8872) User(mqm) Program(amqzlaa0)
                    Host(myServer) Installation(Installation1)
                    VRMF(7.5.0.2) QMgr(MYQM)
                   
AMQ8077: Entity 'pp12345     ' has insufficient authority to access object
'MY.QUEUE'.

EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: put
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 624 --------------------------------------------------------


>>>>>>>>>>>And over the channel with the blocking ADDRRESSMAP rule.


From the office, intranet connection, no VPN
Code:
----- amqrmrsa.c : 898 --------------------------------------------------------
10/16/2013 12:48:20 PM - Process(47087.5704) User(mqm) Program(amqrmppa)
                    Host(myServer) Installation(Installation1)
                    VRMF(7.5.0.2) QMgr(MYQM)
                   
AMQ9777: Channel was blocked

EXPLANATION:
The inbound channel 'PETER.TEST.3' was blocked from address '11.111.2.333'
because the active values of the channel matched a record configured with
USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(pp12345)'.
ACTION:
Contact the systems administrator, who should examine the channel
authentication records to ensure that the correct settings have been
configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be used to
query the channel authentication records.


From Home over VPN:
Code:
----- amqrmrsa.c : 898 --------------------------------------------------------
10/16/2013 08:04:13 PM - Process(47087.5793) User(mqm) Program(amqrmppa)
                    Host(myServer) Installation(Installation1)
                    VRMF(7.5.0.2) QMgr(MYQM)
                   
AMQ9777: Channel was blocked

EXPLANATION:
The inbound channel 'PETER.TEST.3' was blocked from address '11.222.333.444'
because the active values of the channel matched a record configured with
USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(PP12345)'.
ACTION:
Contact the systems administrator, who should examine the channel
authentication records to ensure that the correct settings have been
configured. The ALTER QMGR CHLAUTH switch is used to control whether channel
authentication records are used. The command DISPLAY CHLAUTH can be used to
query the channel authentication records.

_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Oct 18, 2013 12:38 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
I believe the OAM always lower cases before using a user ID. So that would explain why it doesn't have the issue, but it is very odd that that the VPN scenario presents it as upper case. I take it everything else is the same - same client application, no exits in both cases etc?

If so, I would suggest raising a PMR so some trace of the inbound flows can be looked at to see what's up. Perhaps a trace of both sides in fact.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
markt
PostPosted: Fri Oct 18, 2013 1:07 am    Post subject: Reply with quote

Knight

Joined: 14 May 2002
Posts: 508
The Unix OAM does not lowercase anything. It just processes what it's been given by other bits of the qmgr/channel. The AS/400 variant of the Unix OAM does process everything in uppercase though. On Unix, we can handle mixed-case ids if someone has used one. [Create a user called "Root" and watch the fun.]

The Windows OAM does lowercase things, but it doesn't matter there because Windows ids are case-insensitive.

While a full qmgr trace is not generally useful outside the service team, the OAM does have some pieces of comprehensible output including info about what object is being checked for which user and which permission. The "Principal" is shown in the trace output.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Oct 18, 2013 3:58 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722
hughson wrote:
I take it everything else is the same - same client application, no exits in both cases etc?


I was very careful to do the same exact thing from work or from home and repeated it now 6 days/nights.

Once I had my channels and CHLAUTH rules established as documented in this thread, all my test consisted of was opening a command prompt on my laptop, set MQSERVER, execute amqscnxc, execute amqsputc. Very simple and so confident that the only variable was the the connection method - either over the intranet when in the office, or over a VPN connection when at home and connected over the internet,
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2, 3 Page 3 of 3

MQSeries.net Forum Index » IBM MQ Security » Cannot get CHLAUTH Client ID Mapping to work
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.