| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Question on chlauth usermap |
« View previous topic :: View next topic » |
| Author |
Message
|
| crashdog |
 Posted: Thu May 14, 2020 1:52 am Post subject: Question on chlauth usermap |
 |
|
Voyager
Joined: 02 Apr 2017
Posts: 77
|
In the organization that I'm currently working for, there is a rather strange setup that I can't quite figure out how that it's supposed to work. Given is following:
Server side :MQ 9.1.0.0 LTS on RHEL 7.6
Client side : MQexplorer 9.1.0.0 (from MQ 9.1.0.0 installation)
in qm.ini:
| Code: |
Service:
Name=AuthorizationService
EntryPoints=14
ServiceComponent:
Service=AuthorizationService
Name=MQSeries.UNIX.auth.service
Module=amqzfu
ComponentDataSize=0
Channels:
ChlauthEarlyAdopt=Y
MaxChannels=10000
MQIBINDTYPE=FASTPATH
|
authinfo is set to:
| Code: |
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(YES)
DESCR( ) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
AUTHENMD(OS)
|
the channel(s) are setup like:
| Code: |
CHANNEL(ORG.APP.APPNAME) CHLTYPE(SVRCONN)
ALTDATE(2018-12-03) ALTTIME(14.59.00)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(25165824)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)
|
and the only chlauth:
| Code: |
CHLAUTH(ORG.APP.APPNAME) TYPE(USERMAP)
DESCR(Allow user as mqm on local subnet)
CUSTOM( ) ADDRESS(*)
CLNTUSER(appsuserid) MCAUSER(mqm)
USERSRC(MAP) CHCKCLNT(ASQMGR)
ALTDATE(2018-11-06) ALTTIME(09.25.50)
|
There is no "appsuserid" in /etc/passwd. But when I connect with that user on that channel the connection works.
if I setup a new channel and chlauth with exactly the same attributes and values and try to connect with the same user id get in compatbility mode:
AMQ9557E: Queue Manager User ID initialization failed for 'appuserid'
and using MQCSP:
| Code: |
AMQ5534E: User ID 'appuserid' authentication failed
...
AMQ5542I: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(OPTIONAL) configuration.
EXPLANATION:
The user ID 'appuserid' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(OPTIONAL).
|
My questions are, how does MQ authenticate when the users are not locally installed (and obviously no ldap configured) ? is it only "blindly" mapping usernames to MCAUSER if the provided username matches CLNTUSER ?
What could I be missing when trying to recreate the setup with a new channel / chlauth pair ?
Kind Regards,
Gerhard
[/code]
_________________
You win again gravity ! |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Thu May 14, 2020 11:25 am Post subject: Re: Question on chlauth usermap |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
You didn't show us CONNAUTH.
| crashdog wrote: |
| is it only "blindly" mapping usernames to MCAUSER if the provided username matches CLNTUSER ? |
Yes, if the QMgr's CONNAUTH is blank.
And you shouldn't have 'mqm' UserId set in the channel's MCAUSER attribute for anyone to use.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| crashdog |
| Posted: Thu May 14, 2020 11:29 pm Post subject: |
|
|
Voyager
Joined: 02 Apr 2017
Posts: 77
|
thank you for the input Roger,
The qmgrs CONNAUTH is set to SYSTEM.DEFAULT.AUTHINFO.IDPWOS. Which again is setup as mentioned above.
| Quote: |
| Yes, if the QMgr's CONNAUTH is blank. |
So since CONNAUTH is not empty it means that MQ is trying to lookup the users in /etc/passwd ? None of the users in CLNTUSER is locally defined, but it appears that they are mapped to 'mqm' anyway.
yes of course no user should be mapped to mqm, that's the target of the clean up. But I have to try to understand what the current installation is. Unfortunately I can't just dump the qmgr and re-install every thing. Even if it would be the best solution.
Cheers,
Gerhard
_________________
You win again gravity ! |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri May 15, 2020 12:22 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| crashdog wrote: |
| The qmgrs CONNAUTH is set to SYSTEM.DEFAULT.AUTHINFO.IDPWOS. Which again is setup as mentioned above. |
Just because you have "AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)" defined does not mean you are using it (bad assumption). You can have it defined and CONNAUTH be blank.
Here's one of my queue managers:
| Code: |
dis qmgr connauth
6 : dis qmgr connauth
AMQ8408I: Display Queue Manager details.
QMNAME(MQWT1) CONNAUTH( )
dis AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
7 : dis AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566I: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AUTHTYPE(IDPWOS) ADOPTCTX(YES)
DESCR( ) CHCKCLNT(REQDADM)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
AUTHENMD(OS) ALTDATE(2019-11-09)
ALTTIME(12.59.40) |
You have "CHCKCLNT(OPTIONAL)" which means that if the application sends a UserId and Password then the queue manager will check it otherwise it is skipped. You can read the MQ Knowledge Center here or review Morag's presentation here regarding CHCKCLNT of OPTIONAL.
| crashdog wrote: |
| None of the users in CLNTUSER is locally defined, but it appears that they are mapped to 'mqm' anyway. |
Someone was being lazy and didn't care about security.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| hughson |
| Posted: Sun May 17, 2020 6:30 pm Post subject: Re: Question on chlauth usermap |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| crashdog wrote: |
and the only chlauth:
| Code: |
CHLAUTH(ORG.APP.APPNAME) TYPE(USERMAP)
DESCR(Allow user as mqm on local subnet)
CUSTOM( ) ADDRESS(*)
CLNTUSER(appsuserid) MCAUSER(mqm)
USERSRC(MAP) CHCKCLNT(ASQMGR)
ALTDATE(2018-11-06) ALTTIME(09.25.50)
|
|
This being the only CHLAUTH rule means it is indeed blindly mapping all connections to that channel that come from CLNTUSER(appsuserid) to mqm. The description says the rule is to allow all to be mqm from the local subnet, but that is a lie, since the rule allows in ALL IP addresses.
| crashdog wrote: |
| There is no "appsuserid" in /etc/passwd. |
User ids used only in CLNTUSER fields of CHLAUTH do not need to exist on the queue manager machine. They are only used for string comparison.
| crashdog wrote: |
| But when I connect with that user on that channel the connection works. |
Indeed - blindly mapping.
| crashdog wrote: |
if I setup a new channel and chlauth with exactly the same attributes and values and try to connect with the same user id get in compatbility mode:
AMQ9557E: Queue Manager User ID initialization failed for 'appuserid'
and using MQCSP:
| Code: |
AMQ5534E: User ID 'appuserid' authentication failed
...
AMQ5542I: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(OPTIONAL) configuration.
EXPLANATION:
The user ID 'appuserid' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(OPTIONAL).
|
|
This is failing because you are using MQ Explorer compatibility mode. You are using this to set your client side user id. It is causing the queue manager to check the user ID and password. If instead your CHLAUTH rule used your naturally obtained client side user ID, and didn't fake it with MQ Explorer and compatibility mode, there would be no overlap with the user ID and password checking.
| crashdog wrote: |
| My questions are, how does MQ authenticate when the users are not locally installed (and obviously no ldap configured) ? |
It can't - as you saw.
| crashdog wrote: |
| is it only "blindly" mapping usernames to MCAUSER if the provided username matches CLNTUSER ? |
With the setup your have shown us, yes it is blindly mapping.
| crashdog wrote: |
| What could I be missing when trying to recreate the setup with a new channel / chlauth pair ? |
You are trying to fakeup your client side user it to be appuserid. Instead make a CHLAUTH rule mapping your own client side user id.
Or better still add some authentication to the system. Mandate a logon to the machine be sent upon connection - i.e. one that exists on the queue manager machine, or look to providing digital certificates for anyone who is to have mqm authority remotely.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
