ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Installation/Configuration SupportCan we Add New CHLAUTH while channel is running?

Post new topicReply to topic
Can we Add New CHLAUTH while channel is running? View previous topic :: View next topic
Author Message
vicks_mq
PostPosted: Thu Apr 04, 2019 5:38 am Post subject: Can we Add New CHLAUTH while channel is running? Reply with quote

Voyager

Joined: 03 Oct 2017
Posts: 86

Hi, we have an application connecting via CLNCONN - SVRCONN channel.

We just added the following CHLAUTH on our SVRCONN channel while the channel was still RUNNING.

SET CHLAUTH('ABC.TO*') TYPE(ADDRESSMAP) ADDRESS('IPAddress1') USERSRC(CHANNEL) ACTION(ADD)
SET CHLAUTH('ABC.TO*') TYPE(ADDRESSMAP) ADDRESS('IPAddress2') USERSRC(CHANNEL) ACTION(ADD)

Do we need to do any refresh command at QMGR or does the application need to stop and start for it to take affect?
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Thu Apr 04, 2019 10:43 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7521

CHLAUTH rules are evaluated / enforced when at connection time.

Restart the app.
Or, restart the channel.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
vicks_mq
PostPosted: Thu Apr 04, 2019 11:00 am Post subject: Reply with quote

Voyager

Joined: 03 Oct 2017
Posts: 86

PeterPotkay wrote:
CHLAUTH rules are evaluated / enforced when at connection time.

Restart the app.
Or, restart the channel.


We have SVRCONN channel i think they can't be "restarted" from MQSC.
I can ask the application team to restart but it is PRD environment and they are not gonna be happy.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Apr 04, 2019 11:05 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25552
Location: Ohio, USA

vicks_mq wrote:
I can ask the application team to restart but it is PRD environment and they are not gonna be happy.


It's a hard, cruel universe filled with injustice and pain.

Or that might just be my universe.

Anyway, this is why your Prod environment has change control, maintenance windows, rolling restart capabilities and all the other joy that fills our lives; sooner or later you have to do stuff like this. Or a DR test. Or (gasp) recovering from an application problem.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Apr 04, 2019 11:07 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25552
Location: Ohio, USA

Unless your application team are Agile, in which case you can just wait until the end of their next sprint.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
vicks_mq
PostPosted: Thu Apr 04, 2019 11:08 am Post subject: Reply with quote

Voyager

Joined: 03 Oct 2017
Posts: 86

Vitor wrote:
vicks_mq wrote:
I can ask the application team to restart but it is PRD environment and they are not gonna be happy.


It's a hard, cruel universe filled with injustice and pain.

Or that might just be my universe.

Anyway, this is why your Prod environment has change control, maintenance windows, rolling restart capabilities and all the other joy that fills our lives; sooner or later you have to do stuff like this. Or a DR test. Or (gasp) recovering from an application problem.


Whenever we add any new SSL certificate in our QMGR , we just run a MQSC command "REFRESH Security" and it does the job and no one is wiser.

I was hoping that making changes in CHLAUTH also should have similar command which can reflect new changes.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Thu Apr 04, 2019 11:08 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7521

vicks_mq wrote:

We have SVRCONN channel i think they can't be "restarted" from MQSC.


They can.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Apr 04, 2019 11:38 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25552
Location: Ohio, USA

PeterPotkay wrote:
vicks_mq wrote:

We have SVRCONN channel i think they can't be "restarted" from MQSC.


They can.


To the possible annoyance of any application team whose application is currently connected to it.

Hence my comment about change windows and so forth.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Apr 04, 2019 11:41 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25552
Location: Ohio, USA

vicks_mq wrote:
Whenever we add any new SSL certificate in our QMGR , we just run a MQSC command "REFRESH Security" and it does the job and no one is wiser.


Not quite the same thing; that's a change to the queue manager's internal configuration and if done incorrectly a lot of people can be unexpectedly the wiser.

vicks_mq wrote:
I was hoping that making changes in CHLAUTH also should have similar command which can reflect new changes.


Unless the new rules block someone unexpectedly.

But raise an RFE and post the link to gather support. Votes get changes......
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mvic
PostPosted: Thu Apr 04, 2019 2:06 pm Post subject: Reply with quote

Jedi

Joined: 09 Mar 2004
Posts: 2078

Vitor wrote:
[But raise an RFE and post the link to gather support. Votes get changes......

I would have thought that changing/adding a CHLAUTH rule for CHL1 would have effect on the next client that connected to CHL1.
But I haven't tested that that is true.
(And I wonder if the OP has tested, and can tell us the answer to the question they first posted!).
My point is, maybe the OP already has the behavior they want, without need for an RFE.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Apr 05, 2019 12:02 am Post subject: Re: Can we Add New CHLAUTH while channel is running? Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1042
Location: Bay of Plenty, New Zealand

vicks_mq wrote:
Hi, we have an application connecting via CLNCONN - SVRCONN channel.

We just added the following CHLAUTH on our SVRCONN channel while the channel was still RUNNING.

SET CHLAUTH('ABC.TO*') TYPE(ADDRESSMAP) ADDRESS('IPAddress1') USERSRC(CHANNEL) ACTION(ADD)
SET CHLAUTH('ABC.TO*') TYPE(ADDRESSMAP) ADDRESS('IPAddress2') USERSRC(CHANNEL) ACTION(ADD)

Do we need to do any refresh command at QMGR or does the application need to stop and start for it to take affect?

How do these rules affect the currently running client application? You are adding two rules to allow client applications from two specific IP address to use the MCAUSER defined on the SVRCONN channel (or to use the flowed client side user ID if none is defined on the SVRCONN).

How are the client applications currently running? Are they gaining or losing access as a result of the addition of these CHLAUTH commands. Presumably they can't be gaining access or they would not currently be successfully running for you consider stopping them to pick up the change. If they are losing access that they currently shouldn't have, then shouldn't you be forcing them to stop [STOP CHANNEL(svrconn-name) MODE(FORCE) STATUS(INACTIVE)] to ensure that they do not continue to have access they shouldn't have?

If the new rules don't actually change how the applications are running, maybe just makes the CHLAUTH rules clearer - or maybe just in preparation to adding a backstop rule later, then just wait until they stop and restart naturally, and upon the next connection made from the client application, the new rules will be enforced.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
vicks_mq
PostPosted: Fri Apr 05, 2019 1:25 am Post subject: Re: Can we Add New CHLAUTH while channel is running? Reply with quote

Voyager

Joined: 03 Oct 2017
Posts: 86

hughson wrote:
vicks_mq wrote:
Hi, we have an application connecting via CLNCONN - SVRCONN channel.

We just added the following CHLAUTH on our SVRCONN channel while the channel was still RUNNING.

SET CHLAUTH('ABC.TO*') TYPE(ADDRESSMAP) ADDRESS('IPAddress1') USERSRC(CHANNEL) ACTION(ADD)
SET CHLAUTH('ABC.TO*') TYPE(ADDRESSMAP) ADDRESS('IPAddress2') USERSRC(CHANNEL) ACTION(ADD)

Do we need to do any refresh command at QMGR or does the application need to stop and start for it to take affect?

How do these rules affect the currently running client application? You are adding two rules to allow client applications from two specific IP address to use the MCAUSER defined on the SVRCONN channel (or to use the flowed client side user ID if none is defined on the SVRCONN).

How are the client applications currently running? Are they gaining or losing access as a result of the addition of these CHLAUTH commands. Presumably they can't be gaining access or they would not currently be successfully running for you consider stopping them to pick up the change. If they are losing access that they currently shouldn't have, then shouldn't you be forcing them to stop [STOP CHANNEL(svrconn-name) MODE(FORCE) STATUS(INACTIVE)] to ensure that they do not continue to have access they shouldn't have?

If the new rules don't actually change how the applications are running, maybe just makes the CHLAUTH rules clearer - or maybe just in preparation to adding a backstop rule later, then just wait until they stop and restart naturally, and upon the next connection made from the client application, the new rules will be enforced.

Cheers,
Morag

Hi Morag, yes earlier we had no CHLAUTH but later in MQ audit , it was found that we are running a SVCONN channel without CHLAUTH. So, that is when I decided to add it. Client application is continue to run so not sure whether the CHLAUTH rules are in affect or not but no bad news is good news, I believe.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Apr 05, 2019 1:40 am Post subject: Re: Can we Add New CHLAUTH while channel is running? Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1042
Location: Bay of Plenty, New Zealand

vicks_mq wrote:
earlier we had no CHLAUTH but later in MQ audit , it was found that we are running a SVCONN channel without CHLAUTH. So, that is when I decided to add it.

So had you also added a backstop rule? Or can channels that don't match these rules also run anyway? If I can guess your channel name and port number, can I successfully connect to your queue manager? How does adding these rules meet your audit requirement?

vicks_mq wrote:
Client application is continue to run so not sure whether the CHLAUTH rules are in affect or not but no bad news is good news, I believe.

So this sounds like there is no need, yet, to stop and restart the application. It will naturally restart at some future time and the new CHLAUTH rules will apply at that point. If this is just the start of your journey to secure your queue manager, I'm sure there will be other reasons to annoy the application owners later!

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Installation/Configuration SupportCan we Add New CHLAUTH while channel is running?
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.