| Author |
Message
|
| Mangesh1187 |
 Posted: Wed Jul 20, 2016 1:29 am Post subject: CHANNEL AUTHENTICATION summarized |
 |
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
Gone through several docs ,posts about the CHLAUTH in MQ, I was trying to summarize the overall steps to define it.
Following are the steps you can consider one-by-one while creating the channel authentication rules :
1. Decide the name of channel or channel pattern to which rule should be applied to. Can use wildcard also.
Syntax : SET SET CHLAUTH('CHANNEL1') , SET CHLAUTH('CHANNEL*')
2. Choose whether to allow or blcok the inbound connections.
If you chooese to allow then decide you want to use the userd id flowing with channel to use for further autherization in MQ or to map to Fixed User ID.
Syntax (If Allow & map the userid ): USERSRC (MAP) MCAUSER('usr1) { usr1 is the userid that will be mapped to the flowing user id of channel
(If Allow & use channel user id ): USERSRC (CHANNEL)
If decided to block , decide if you want to block it in WARN mode or not.
If run in WARN mode, the rule will only throw a warning & won't actually block the inbound connection.
Syntax : USERSRC(NOACCESS) WARN(YES/NO) { Default WARN(NO)
3. Decide depending on which identity of the inbound connection , you wanna ALLOW or BLOCK it. Below are the possiilities:
(a) SSL/TLS : TYPE(SSLPEERMAP) SSLPEER('Dn-Names') ADDRESS('Ip Address') { ADDRESS is optional
Distinguished Names can be CN,L etc and can use wild card.
(b) Client App user Id: TYPE(SSLPEERMAP) CLNTUSER('user1') ADDRESS('Ip Address') { ADDRESS is optional
Block/Allow if client application is running with id 'user1'
(c) Remote QM Name : TYPE(QMGRMAP) QMNAME('QM_Name') ADDRESS('Ip Address') { ADDRESS is optional
Block/Allow the inbound connection if its coming from remote QM whoes name matches with QM_Name.
(d) IP address : TYPE(ADDRESSMAP) ADDRESS('Ip_Address')
Block/Allow the inbound connection is coming from Ip addresses which matches with pattern Ip_Address.
4. Espcial scenario with BLOCK.
(a) Using IP address: SET CHLAUTH('*') TYPE(BLOCKADDR) ADDRLIST('IPAddr1','IPAddr1','IPAddr1')
Use this if this rule is to be used by the listener to match the inbound connections before the channel name is known.
(b) Using Final assigned user ID : TYPE(BLOCKUSER) USERLIST('usr1','usr2','usr3')
Use this option if you want this rule to match the user ID ultimately assigned to the inbound connection either by other rules or security exit.
It can be user id flowing with channel, can be asseinged by other app.
A special user id *MQADMIN can be used for the previleged users.
Am I correct saying above or missed anything to point it out? Any thoughts....... |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Wed Jul 20, 2016 1:56 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
What version of MS are you using? It does make a difference.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| Mangesh1187 |
| Posted: Wed Jul 20, 2016 2:05 am Post subject: |
|
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
| smdavies99 wrote: |
| What version of MS are you using? It does make a difference. |
Its MQ 7.5.0.3 |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Jul 20, 2016 2:30 am Post subject: Re: CHANNEL AUTHENTICATION summarized |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| Mangesh1187 wrote: |
| 2. Choose whether to allow or blcok the inbound connections. |
On this point I would say this:-
Only make one blocking rule - the backstop rule. All your other rules should be allow rules that over-ride the backstop rule. No doubt you've already read about the backstop rule in your research?
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Jul 20, 2016 2:32 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| smdavies99 wrote: |
| What version of MS are you using? |
Has someone switched your 'Q' and 'S' keys around on the keyboard? I noticed you calling it 'MS' in another post as well 
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Jul 20, 2016 2:40 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| hughson wrote: |
| smdavies99 wrote: |
| What version of MS are you using? |
Has someone switched your 'Q' and 'S' keys around on the keyboard? I noticed you calling it 'MS' in another post as well |
Opps. Sorry Morag. I'll try to get my fingers to walk to the right keys in future.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| Mangesh1187 |
| Posted: Thu Jul 21, 2016 2:40 am Post subject: |
|
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
| hughson wrote: |
| Mangesh1187 wrote: |
2. Choose whether to allow or blcok the inbound connections.
|
On this point I would say this:-
Only make one blocking rule - the backstop rule. All your other rules should be allow rules that over-ride the backstop rule. No doubt you've already read about the backstop rule in your research?
|
Thanks Morag. Yes I did looked into your valuable post about backstop rule.
The more I dig into understanding the CHLAUTH implmentation , I found its getting more interesting. |
|
| Back to top |
|
|
|
|
