Author |
Message
|
MQMB&WAS |
Posted: Tue Apr 21, 2020 10:34 am Post subject: Chlauth qmgrmap vs addressmap |
|
|
Centurion
Joined: 12 Jun 2016 Posts: 130
|
Hello experts
Could someone please explain what’s the difference between qmgrmap and addressmap in chlauth types?
I looked online but the info is very confusing.
To allow a sender channel coming from qmgr with certain IP, what type of chlauth should we use? Qmgrmap or addressmap? And what’s the difference? |
|
Back to top |
|
 |
fjb_saper |
Posted: Wed Apr 22, 2020 9:03 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
The address map will not check the qmgr name.
The qmgr map may also check the originating ip.
And don't forget you'll also need a backstop rule.
Hope this helps  _________________ MQ & Broker admin |
|
Back to top |
|
 |
MQMB&WAS |
Posted: Wed Apr 22, 2020 9:30 pm Post subject: |
|
|
Centurion
Joined: 12 Jun 2016 Posts: 130
|
fjb_saper wrote: |
The address map will not check the qmgr name.
The qmgr map may also check the originating ip.
And don't forget you'll also need a backstop rule.
Hope this helps  |
To an already running channel with chlauth rule, if the sender qmgrs' IP changes, will the below rule work?
SET CHLAUTH(SDR.RCVR.CHL) TYPE(QMGRMAP) ADDRESS(NEW.IP.ADDR) QMNAME(SDR.QMNAME) MCAUSER('sender_userid') USERSRC(MAP) ACTION(ADD)
and since the chl is already running with the current IP of the sender qmgr, ,with chlauth enabled, I guess the backstop rule already exists and all I need to do is add the above rule to allow the new IP ?
Thanks for your time. |
|
Back to top |
|
 |
fjb_saper |
Posted: Thu Apr 23, 2020 10:25 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
MQMB&WAS wrote: |
To an already running channel with chlauth rule, if the sender qmgrs' IP changes, will the below rule work?
SET CHLAUTH(SDR.RCVR.CHL) TYPE(QMGRMAP) ADDRESS(NEW.IP.ADDR) QMNAME(SDR.QMNAME) MCAUSER('sender_userid') USERSRC(MAP) ACTION(ADD) |
That should work for when the channel restarts with the new sender ip.
MQMB&WAS wrote: |
and since the chl is already running with the current IP of the sender qmgr, ,with chlauth enabled, I guess the backstop rule already exists and all I need to do is add the above rule to allow the new IP ?
|
You can't really make that conclusion. If the backstop rule is missing you can create the permission granting rule, but you don't really need it a nothing is going to block a connection from happening.  _________________ MQ & Broker admin |
|
Back to top |
|
 |
MQMB&WAS |
Posted: Wed May 13, 2020 4:45 am Post subject: |
|
|
Centurion
Joined: 12 Jun 2016 Posts: 130
|
fjb_saper wrote: |
You can't really make that conclusion. If the backstop rule is missing you can create the permission granting rule, but you don't really need it a nothing is going to block a connection from happening.  |
Got you.
Another query.
When a chl has chlauth rules with with both sslpeermap and qmgrmap/addressmap, which one takes precedence and which one is ignored?
Appreciate your time. |
|
Back to top |
|
 |
fjb_saper |
Posted: Wed May 13, 2020 5:12 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
MQMB&WAS wrote: |
fjb_saper wrote: |
You can't really make that conclusion. If the backstop rule is missing you can create the permission granting rule, but you don't really need it a nothing is going to block a connection from happening.  |
Got you.
Another query.
When a chl has chlauth rules with with both sslpeermap and qmgrmap/addressmap, which one takes precedence and which one is ignored?
Appreciate your time. |
I would expect that to be
- sslpeermap
- qmgrmap
- addressmap
But I am sure you can find the exact order of precedence in the infocenter  _________________ MQ & Broker admin |
|
Back to top |
|
 |
hughson |
Posted: Wed May 13, 2020 9:06 pm Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
fjb_saper wrote: |
But I am sure you can find the exact order of precedence in the infocenter  |
Indeed. In Channel authentication records > Interaction between channel authentication records:-
IBM Knowledge Center wrote: |
The channel authentication record used is selected as follows:
- A channel authentication record explicitly matching the channel name takes priority over a channel authentication record matching the channel name by using a wildcard.
- A channel authentication record using an SSL or TLS DN takes priority over a record using a user ID, queue manager name, or IP address.
- A channel authentication record using a user ID or queue manager name takes priority over a record using an IP address.
|
Cheers,
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
|