| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Understanding client connection and channel security |
« View previous topic :: View next topic » |
| Author |
Message
|
| pintrader |
 Posted: Fri Aug 22, 2014 12:58 am Post subject: Understanding client connection and channel security |
 |
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
hi,
Am trying to use the sample program supplied from IBM , amqscnxc to connect to a QMGR.
1) Client is in Unix environment (C1)
2) QMGR is also in Unix environment (QM1)
At machine QM1, I created an Unix user called mquser and set up a QMGR and created a SVRCONN channel:
define channel(C1.TO.QM1) chltype(SVRCONN) trptype(TCP) SSLCAUTH(OPTIONAL)
then I set channel auth to map mcauser to mquser
set chlauth(C1.TO.QM1) type(USERMAP) CLNTUSER('mquser') USERSRC(MAP) MCAUSER('mquser')
After that, allow mquser to connect to QMGR:
setmqaut -m QMGR -t qmgr -p mquser +connect +dsp +inq
At client machine C1, I log in as mqm and I use this command to test a connection to QMGR:
amqscnxc -x "10.10.10.10(1414)" -u mquser -c C1.TO.QM1 QMGR
However, i get MQCONNX ended with reason code 2035
error.
Then I create mquser at C1, and re-tried the command and it works. May I ask, is this behaviour due to the CLNTUSR parameter when I did the set chlauth() command?
From the doc for CLNUSR, it says The client asserted user ID to be mapped to a new user ID or blocked.. Hence, at C1, a unix user must be created, right?
If I don't wish to create a Unix user at C1 but would still wish to connect to QM1, what should be the correct set chlauth() command? I have tried using an ADDRESSMAP instead so that at C1, there is no need to define a UNIX user. But just want to make sure using ADDRESSMAP is one viable way.
This is because my client applications would only need to know the channel name or Qmgr to connect to and would not need to specify a user in the application.
thanks |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Fri Aug 22, 2014 1:54 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| Quote: |
If I don't wish to create a Unix user at C1 but would still wish to connect to QM1, what should be the correct set chlauth() command? I have tried using an ADDRESSMAP instead so that at C1, there is no need to define a UNIX user. But just want to make sure using ADDRESSMAP is one viable way.
|
You can allow access from a specific IP address but first verify that your assumptions are correct by doing a
| Code: |
dis chlauth(C1.TO.QM1)
|
You may see something like
| Code: |
CHLAUTH(C1.TO.QM1) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) USERSRC(NOACCESS)
WARN(NO) ALTDATE(2014-08-22)
ALTTIME(08.41.26)
|
note the USERSRC param value.
Then you can create a rule that allows an undefined user from a specific IP address (or range) to MAP to an authorized user.
See here--> http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.ref.adm.doc/q086630_.htm?lang=en
for example (on my test server)
| Code: |
SET CHLAUTH('MQTEST.SVRCONN') TYPE(USERMAP) CLNTUSER('nomquser') +
USERSRC(CHANNEL) ADDRESS('*') +
DESCR('allow user at 192.168.27.146') ACTION(ADD)
|
however that only goes part of the way.
That will allow the user to get past the channel but you will still need to auth access to the queue manager and queues. You will see something like
| Code: |
AMQ8077: Entity 'nomquser@int02' has insufficient authority to access object
'MQTEST'.
|
in the AMQERR01.log file.
Then you have a choice
1) auth the user (without an account) access to the QMGR and queues
2) Map the connection user to one that is allowed
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| pintrader |
| Posted: Mon Aug 25, 2014 5:35 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| smdavies99 wrote: |
| Quote: |
If I don't wish to create a Unix user at C1 but would still wish to connect to QM1, what should be the correct set chlauth() command? I have tried using an ADDRESSMAP instead so that at C1, there is no need to define a UNIX user. But just want to make sure using ADDRESSMAP is one viable way.
|
You can allow access from a specific IP address but first verify that your assumptions are correct by doing a
| Code: |
dis chlauth(C1.TO.QM1)
|
You may see something like
| Code: |
CHLAUTH(C1.TO.QM1) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) USERSRC(NOACCESS)
WARN(NO) ALTDATE(2014-08-22)
ALTTIME(08.41.26)
|
note the USERSRC param value.
Then you can create a rule that allows an undefined user from a specific IP address (or range) to MAP to an authorized user.
See here--> http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.ref.adm.doc/q086630_.htm?lang=en
for example (on my test server)
| Code: |
SET CHLAUTH('MQTEST.SVRCONN') TYPE(USERMAP) CLNTUSER('nomquser') +
USERSRC(CHANNEL) ADDRESS('*') +
DESCR('allow user at 192.168.27.146') ACTION(ADD)
|
however that only goes part of the way.
That will allow the user to get past the channel but you will still need to auth access to the queue manager and queues. You will see something like
| Code: |
AMQ8077: Entity 'nomquser@int02' has insufficient authority to access object
'MQTEST'.
|
in the AMQERR01.log file.
Then you have a choice
1) auth the user (without an account) access to the QMGR and queues
2) Map the connection user to one that is allowed |
thanks for the reply. appreciate it |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
