ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Not able to connect to the channel

Post new topic  Reply to topic
 Not able to connect to the channel « View previous topic :: View next topic » 
Author Message
Bichu
PostPosted: Tue Aug 09, 2016 7:28 am    Post subject: Not able to connect to the channel Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 124
Location: London

Hello Guys,

I am using WMQ v7.5.
I have created a new queue manager, created a SVRCONN channel and removed all the existing channel auth rules.

I have then put back stop rule as Morag's blog.
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule')
afterwhich I am not able to access.

Later I set channel auth on my client server connection channel as below
SET CHLAUTH(MYCLNT.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(xxx.xx.xxx.xxx) USERSRC(MAP) MCAUSER(mqm) ACTION(ADD)

But when I try to connect, its not allowing by throwing an error message
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity: 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.


Where am I going wrong? How can I find out the user id associated with my request?
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Aug 09, 2016 7:34 am    Post subject: Re: Not able to connect to the channel Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Bichu wrote:
Where am I going wrong?


You didn't read all of Morag's blog and/or you've overlooked the default channel authority rules that come with a v7.5 queue manager. One of which blocks remote admin access. Which I suspect is not as removed as you think.

Bichu wrote:
How can I find out the user id associated with my request?


The short answer is "it's the one you set the connection to use", the slightly longer answer is "it's the one in the security event".

You should never use mqm as a user in a channel except for a very limited set of circumstances. That default rule exists for a very good reason.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Bichu
PostPosted: Tue Aug 09, 2016 8:19 am    Post subject: Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 124
Location: London

Thanks Vitor.

Did you meant the 3 CHLAUTHS automically created when creating a queue manager. If so, I have removed those.

These are the existing channel auths in my system now

DISPLAY CHLAUTH(*)
1 : DISPLAY CHLAUTH(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(MYCLNT.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(xx.xxx.xx.xx) MCAUSER(MQM)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)

I am trying this in dev environment after which I am planning to create a non privileged user group and a user which I am planning to assign as MCAUSER.
Back to top
View user's profile Send private message
Bichu
PostPosted: Tue Aug 09, 2016 9:11 am    Post subject: Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 124
Location: London

When I checked the logs, I saw that

AMQ9777: Channel was blocked

EXPLANATION:
The inbound channel 'MYCLNT.SVRCONN' was blocked from address 'xx.xxx.xx.xxx'
because the active values of the channel matched a record configured with
USERSRC(NOACCESS). The active values of the channel were 'CLNTUSER(bichu)'.

I overcome this with the below CHLAUTH record.
SET CHLAUTH(MYCLNT.SVRCONN) TYPE(USERMAP) CLNTUSER('bichu') USERSRC(CHANNEL) ACTION(ADD)

But how can I tell MQ to allow connections only if it comes from a particular ip. I have tried ADDRESSMAP as stated above, but not working. Please help.
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Aug 09, 2016 9:39 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Bichu wrote:
Did you meant the 3 CHLAUTHS automically created when creating a queue manager? If so, I have removed those


Why? They exist for a reason.

Bichu wrote:
I have tried ADDRESSMAP as stated above, but not working.


Yes it is. The 2 rules you quote above would produce exactly the result you're seeing. Re-read Morag's blog, which will also explain why your fix worked.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Aug 09, 2016 7:57 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

Code:
ADDRESS(xx.xxx.xx.xx) MCAUSER(MQM)
is very different from
Code:
ADDRESS(xx.xxx.xx.xx) MCAUSER(mqm)


Remember that you need single quotes in runmqsc for lower case content !

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Bichu
PostPosted: Wed Aug 10, 2016 7:02 am    Post subject: Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 124
Location: London

I have went through the below blogs by Morag. Thanks Morag for the beautiful explanation.

• I'm being blocked by CHLAUTH - how can I work out why?
• CHLAUTH - the back-stop rule
• Blocking IP addresses with CHLAUTH - Which Type to Use?
• A non-privileged MQ administrator
• CHLAUTH - Allow some privileged admins

I am able to figure out where my CHLAUTH went wrong. Now, it requires a new group and a user addition in Linux for which I dont have access.
Before going with that, I want to confirm the solution for my requirement.

1. I would like to allow connections to a channel only if it comes from a specific ip. Which is the best chlauth rule for this?

2. I am planning to put a back stop rule prior to this . If so, can I remove the default channel auth rules coming with v 7.5?
Back to top
View user's profile Send private message
smdavies99
PostPosted: Wed Aug 10, 2016 8:41 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

Have you looked at the MQ Logs for hints as to how to solve the problems?
They can help you know.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Aug 10, 2016 3:32 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

No need to delete the default rules. Just and Morag's blogs as she tells you how to set up your channel security to work with the default rules...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Not able to connect to the channel
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.