| Author |
Message
|
| Bichu |
 Posted: Tue Aug 09, 2016 7:28 am Post subject: Not able to connect to the channel |
 |
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
Hello Guys,
I am using WMQ v7.5.
I have created a new queue manager, created a SVRCONN channel and removed all the existing channel auth rules.
I have then put back stop rule as Morag's blog.
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule')
afterwhich I am not able to access.
Later I set channel auth on my client server connection channel as below
SET CHLAUTH(MYCLNT.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(xxx.xx.xxx.xxx) USERSRC(MAP) MCAUSER(mqm) ACTION(ADD)
But when I try to connect, its not allowing by throwing an error message
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity: 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.
Where am I going wrong? How can I find out the user id associated with my request?
 |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Aug 09, 2016 7:34 am Post subject: Re: Not able to connect to the channel |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Bichu wrote: |
| Where am I going wrong? |
You didn't read all of Morag's blog and/or you've overlooked the default channel authority rules that come with a v7.5 queue manager. One of which blocks remote admin access. Which I suspect is not as removed as you think.
| Bichu wrote: |
How can I find out the user id associated with my request?
|
The short answer is "it's the one you set the connection to use", the slightly longer answer is "it's the one in the security event".
You should never use mqm as a user in a channel except for a very limited set of circumstances. That default rule exists for a very good reason.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Bichu |
| Posted: Tue Aug 09, 2016 8:19 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
Thanks Vitor.
Did you meant the 3 CHLAUTHS automically created when creating a queue manager. If so, I have removed those.
These are the existing channel auths in my system now
DISPLAY CHLAUTH(*)
1 : DISPLAY CHLAUTH(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(MYCLNT.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(xx.xxx.xx.xx) MCAUSER(MQM)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
I am trying this in dev environment after which I am planning to create a non privileged user group and a user which I am planning to assign as MCAUSER. |
|
| Back to top |
|
|
| Bichu |
| Posted: Tue Aug 09, 2016 9:11 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
When I checked the logs, I saw that
AMQ9777: Channel was blocked
EXPLANATION:
The inbound channel 'MYCLNT.SVRCONN' was blocked from address 'xx.xxx.xx.xxx'
because the active values of the channel matched a record configured with
USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(bichu)'.
I overcome this with the below CHLAUTH record.
SET CHLAUTH(MYCLNT.SVRCONN) TYPE(USERMAP) CLNTUSER('bichu') USERSRC(CHANNEL) ACTION(ADD)
But how can I tell MQ to allow connections only if it comes from a particular ip. I have tried ADDRESSMAP as stated above, but not working. Please help. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Aug 09, 2016 9:39 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Bichu wrote: |
| Did you meant the 3 CHLAUTHS automically created when creating a queue manager? If so, I have removed those |
Why? They exist for a reason.
| Bichu wrote: |
| I have tried ADDRESSMAP as stated above, but not working. |
Yes it is. The 2 rules you quote above would produce exactly the result you're seeing. Re-read Morag's blog, which will also explain why your fix worked.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Aug 09, 2016 7:57 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Code: |
| ADDRESS(xx.xxx.xx.xx) MCAUSER(MQM) |
is very different from
| Code: |
| ADDRESS(xx.xxx.xx.xx) MCAUSER(mqm) |
Remember that you need single quotes in runmqsc for lower case content ! 
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Bichu |
| Posted: Wed Aug 10, 2016 7:02 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
I have went through the below blogs by Morag. Thanks Morag for the beautiful explanation.
• I'm being blocked by CHLAUTH - how can I work out why?
• CHLAUTH - the back-stop rule
• Blocking IP addresses with CHLAUTH - Which Type to Use?
• A non-privileged MQ administrator
• CHLAUTH - Allow some privileged admins
I am able to figure out where my CHLAUTH went wrong. Now, it requires a new group and a user addition in Linux for which I dont have access.
Before going with that, I want to confirm the solution for my requirement.
1. I would like to allow connections to a channel only if it comes from a specific ip. Which is the best chlauth rule for this?
2. I am planning to put a back stop rule prior to this . If so, can I remove the default channel auth rules coming with v 7.5? |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Aug 10, 2016 8:41 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Have you looked at the MQ Logs for hints as to how to solve the problems?
They can help you know.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 10, 2016 3:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
No need to delete the default rules. Just  and  Morag's blogs as she tells you how to set up your channel security to work with the default rules...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
