| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Authentication assertions on MCA channel agents |
« View previous topic :: View next topic » |
| Author |
Message
|
| smeunier |
 Posted: Thu Jul 30, 2015 1:17 pm Post subject: Authentication assertions on MCA channel agents |
 |
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
For MCS channels, the identity asserted is the name of the remote QMGR. So in a sender/receiver pair, with names of SNDRQMGR and RCVRQMGR, the id flowed to RCVRQMGR would be SNDRQMGR? This would be the id that I could then do CHLAUTH checking against? Is this correct?
I want to provide receiver channel CHLAUTH rule for checking against known QMGRS. I'm taking a leap of faith that the id flowed by assertion cannot be manipulated during the send as it is coming via a MCA channel under the control of MQ. Since the same qmgr name could be defined on multiple servers(even a clients test instance), I would also apply IP boundaries.
I'm trying to get down to the level, where all the channel can do is +put to the queue based on the mcauserid I specify in the CHLAUTH rule. Perhaps it is just easier by specifying the mcauserid on the local QMGR receiver channel and authenticate against that and leave the CHLAUTH out of it entirely. My desire in using the CHLAUTH was to centralize the authentication rules, rather than intermix them with CHLAUTH and MQ Object definition mcauserid properties.
I digressed a bit, but wanted to know about the assertion on MCA, but in context of what I was doing. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Thu Jul 30, 2015 1:40 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
The asserted identity is that identity that must be used to access the resource in question.
A RCVR message channel agent (MCA) needs to MQOPEN queues at the receiver end of a channel. The asserted identity of a RCVR MCA must be an identity that has authority to MQOPEN the destination queue named in the transmission queue header (for message-by-message security) or to MQOPEN whichever queues it needs to open.
MCS channel?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jul 31, 2015 4:32 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| bruce2359 wrote: |
The asserted identity is that identity that must be used to access the resource in question.
A RCVR message channel agent (MCA) needs to MQOPEN queues at the receiver end of a channel. The asserted identity of a RCVR MCA must be an identity that has authority to MQOPEN the destination queue named in the transmission queue header (for message-by-message security) or to MQOPEN whichever queues it needs to open.
MCS channel? |
Important and not to forget, it also must be able to put to the DLQ if the channel/qmgr is using it. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jul 31, 2015 5:49 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| Important and not to forget, it also must be able to put to the DLQ if the channel/qmgr is using it. |
Assuming the USEDLQ attribute has not been set to NO 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| smeunier |
| Posted: Fri Jul 31, 2015 6:36 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
| bruce2359 wrote: |
The asserted identity is that identity that must be used to access the resource in question.
A RCVR message channel agent (MCA) needs to MQOPEN queues at the receiver end of a channel. The asserted identity of a RCVR MCA must be an identity that has authority to MQOPEN the destination queue named in the transmission queue header (for message-by-message security) or to MQOPEN whichever queues it needs to open.
MCS channel? |
MCS Channel was a typo on my part. It should have read MCA channel. Thanks for your reply. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
