ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » BlockIP2 userids question

Post new topic  Reply to topic
 BlockIP2 userids question « View previous topic :: View next topic » 
Author Message
alexf400
PostPosted: Tue Aug 12, 2014 11:37 pm    Post subject: BlockIP2 userids question Reply with quote

Newbie

Joined: 10 Apr 2014
Posts: 8
Hi

I want to allow 3 userids from a single server access to a SVRCONN, with an MCAuser set.

Am I allowed to do this?

CON=servername;user1,user2,user3;MCA=mquser;

or do I have to use Patterns and Userids?

The manual implies that the CON statement can have userids, but also that concatenation is handled by Patterns.

Thanks for any help.
Back to top
View user's profile Send private message
zpat
PostPosted: Tue Aug 12, 2014 11:44 pm    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5866
Location: UK
Easy enough to try it.

Your list will work as you have coded it.

Each id in the list can be a pattern or just a single userid.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
alexf400
PostPosted: Wed Aug 13, 2014 3:13 am    Post subject: Reply with quote

Newbie

Joined: 10 Apr 2014
Posts: 8
Thanks

looks like I'm only constrained to the 79 characters allowed in the CON= statement.

If I do have to do a longer user list and use the Patterns= and Users= commands, can I specify the MCA User? Or do I just have to set the MCA User on the SVRCONN channel?
Back to top
View user's profile Send private message
zpat
PostPosted: Wed Aug 13, 2014 3:42 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5866
Location: UK
You can always have multiple statements for the same servername.

BlockIP2 will keep processing rules until it sets the MCA (or runs out of rules).

The MCAUSER on the SVRCONN channel definition should be set to a dummy value (such as NoBody).

In addition your very last BlockIP2 rule should be a catch-all such as this

CON=*;*;MCA=*;

This allows users to keep the id passed in, if not otherwise mapped or blocked in previous rules.

For example I use a rule like this to prevent use of admin ids for client connections (and block blank ids unless previously mapped).

CON=*;mq*,root,qpasa*,wmb*,mqsi*;BLOCK;
CON=*;BLANK_USERID;BLOCK;
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
alexf400
PostPosted: Wed Aug 13, 2014 5:45 am    Post subject: Reply with quote

Newbie

Joined: 10 Apr 2014
Posts: 8
That's great, thanks for your help!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » BlockIP2 userids question
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.