| Author |
Message
|
| fjb_saper |
 Posted: Wed Mar 09, 2016 11:58 am Post subject: |
 |
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mlotfi wrote: |
2) was that IP address you put in this code was randomly chosen ?
| Code: |
SET CHLAUTH(NONPRIV.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('9.10.20.30') MCAUSER('morag2')
|
Thanks, I appreciate your help. |
The address you see is not random. It is the address from which the call to the qmgr originates. The same way the MCAUSER needs to be a user that has authority on the queue manager.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Mar 09, 2016 12:07 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fjb_saper wrote: |
| mlotfi wrote: |
2) was that IP address you put in this code was randomly chosen ?
| Code: |
SET CHLAUTH(NONPRIV.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('9.10.20.30') MCAUSER('morag2')
|
Thanks, I appreciate your help. |
The address you see is not random. |
The specific value '9.10.20.30' is meaningless, and chosen "at random".
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Mar 09, 2016 1:00 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Did you mean pseudo-random?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 09, 2016 1:33 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| bruce2359 wrote: |
| Did you mean pseudo-random? |
I meant without regard for anything other than aesthetic qualities.
Not to put intentions in Morag's actions, however. I'm sure she'll be along to pass out  as needed
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Mar 11, 2016 12:56 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| mlotfi wrote: |
1) I am new in linux, I am using vagrant virtual machine with MQ8 installed, where to put my sh script ?
and how it will be executed ? |
I'm not sure what sh script you are referring to. If you mean an MQSC script within which you place the MQSC commands you've been talking about, then you can put it wherever you want, and run it using the runmqsc command.
| mlotfi wrote: |
2) was that IP address you put in this code was randomly chosen ?
| Code: |
SET CHLAUTH(NONPRIV.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('9.10.20.30') MCAUSER('morag2')
|
|
The text in the article you got that command from tries to tell you about it in this text.
| In MQDev Blog Post, Morag Hughson wrote: |
Having defined it, we will create our CHLAUTH rules, a backstop rule just as in Pattern 1, and a single IP address rule that allows only your client machine to connect and maps the connection to use your newly created non-privileged user ID.
| Code: |
| SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('BackStop rule') |
| Code: |
| SET CHLAUTH(NONPRIV.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('9.10.20.30') MCAUSER('morag2') |
|
The IP address in the above command should be the IP address of the client machine. The client machine is the one you are allowing inbound connectivity into the queue manager with that CHLAUTH rule. The exact IP address 9.10.20.30 probably doesn't exist in the real world and was invented to avoid providing real IP addresses in the example. It starts with "9." because all IBM addresses are so. The rest is just made up "10.20.30" in a pattern I hoped would be obviously made up. Sometimes I used "9.10.11.12" for the same reason.
Hope that helps.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mlotfi |
| Posted: Sat Mar 12, 2016 5:10 pm Post subject: |
|
|
Acolyte
Joined: 07 Jul 2015
Posts: 60
|
| Thanks lot Morag, I like your explanation, I wish you wrote a book explaining all these things for newbies like me, I appreciate the time you spent writing article and responding to our questions, and everybody in this forums id helpful too, thanks to all. |
|
| Back to top |
|
|
| hughson |
| Posted: Sun Mar 13, 2016 1:41 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Well....
I'm not writing a book, but I am trying to put together some online MQ courses for beginners to MQ. I will make sure I post on mqseries.net when they are live.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| cicsprog |
| Posted: Tue Jul 19, 2016 6:30 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2002
Posts: 347
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 19, 2016 6:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Jason, if you do not want to impact existing channels you can still create the backstop rule but restrict it to a specific channel. So instead of doing it for channel (*) you do it for channel(xyz).
Hope this helps.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Jul 19, 2016 4:50 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
The general purpose back-stop rule applies across all channels, but if you just want to make sure there's a drop-through to block unaccepted users on one specific channel, you can create the back-stop rule just on one channel.
A back-stop rule is the last resort rule when you have various other mapping rules. If none of the mapping rules match it drops through to the back-stop rule.
If you just have one rule that says what to do with a channel like, say,
SET CHLAUTH(channel-name) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED)
where you're adopting the password verified user id passed in by the application (and so your CONNAUTH object has ADOPTCHK(YES)) then you're not going to need a per channel back-stop rule because all channels are going to match that one rule already.
Sorry I didn't see this post until now - I had a long email to write first! 
Hope that helps.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
