| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Effect of Connauth on MQ Cluster/Distributed setup |
« View previous topic :: View next topic » |
| Author |
Message
|
| dextermbmq |
 Posted: Wed Jun 03, 2020 11:35 pm Post subject: Effect of Connauth on MQ Cluster/Distributed setup |
 |
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Hello,
This post is verify the understanding around the connauth concepts. Currently the connauth is disabled on queue managers in our MQ estate.
If we enable the connauth with below authinfo object
AUTHTYPE(IDPWOS) ADOPTCTX(YES)
DESCR( ) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
AUTHENMD(OS)
This will only impact the connections made by the application on client mode (via SVRCONN type channel) and MQ - MQ communication like clustered communication with other queue managers and distributed communication with other queue managers would remain as is (No Impact). Please help me in validating this understanding
Second one is around CHLAUTH
Once CHLAUTH is enabled the default rule listed below should effect the existing Clustered and distributed communication since a running clusrcvr channel shows MCAUSER as "mqm" however post enabling the CHLAUTh i could see that none of the clustered and Distributed channels were affected and they kept in running state
AMQ8878I: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN) |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Jun 04, 2020 12:26 am Post subject: Re: Effect of Connauth on MQ Cluster/Distributed setup |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| dextermbmq wrote: |
Hello,
This post is verify the understanding around the connauth concepts. Currently the connauth is disabled on queue managers in our MQ estate.
If we enable the connauth with below authinfo object
AUTHTYPE(IDPWOS) ADOPTCTX(YES)
DESCR( ) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
AUTHENMD(OS)
This will only impact the connections made by the application on client mode (via SVRCONN type channel) and MQ - MQ communication like clustered communication with other queue managers and distributed communication with other queue managers would remain as is (No Impact). Please help me in validating this understanding... |
What testing have you done to self-validate?
| dextermbmq wrote: |
...Second one is around CHLAUTH
Once CHLAUTH is enabled the default rule listed below should effect the existing Clustered and distributed communication since a running clusrcvr channel shows MCAUSER as "mqm" however post enabling the CHLAUTh i could see that none of the clustered and Distributed channels were affected and they kept in running state
AMQ8878I: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN) |
What happens when you stop those channels and try restarting them?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Thu Jun 04, 2020 2:22 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
What testing have you done to self-validate?
Tried restarting the SDR / RCVR pair and CLUSSDR/CLUSRCVR pair post enabling the connauth and refreshing the security (even restarted the qmgr - although wasn't needed). Everything worked fine without any issues.
For application testing , created a new OS user(and associated password), used amqsputc by exporting env variable MQSAMP_USER_ID for the OS user and tried connecting to the MQ using the OS level user and password -->working with correct password / failing with incorrect password (expected)
As I said , this was to validate my understanding
What happens when you stop those channels and try restarting them?
The channels come up fine without any issues. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jun 04, 2020 6:57 pm Post subject: Re: Effect of Connauth on MQ Cluster/Distributed setup |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| dextermbmq wrote: |
Hello,
This post is verify the understanding around the connauth concepts. Currently the connauth is disabled on queue managers in our MQ estate.
If we enable the connauth with below authinfo object
AUTHTYPE(IDPWOS) ADOPTCTX(YES)
DESCR( ) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
AUTHENMD(OS)
This will only impact the connections made by the application on client mode (via SVRCONN type channel) and MQ - MQ communication like clustered communication with other queue managers and distributed communication with other queue managers would remain as is (No Impact). Please help me in validating this understanding |
To be absolutely certain that CONNAUTH does not affect locally bound connections you should use CHCKLOCL(NONE). Using OPTIONAL could affect applications that are written in Java and set a user ID without a password as a way of doing the equivalent of run-as. These would now fail because they would have the password checked and it wouldn't match.
The above issue won't affect channels as they are not Java applications.
| dextermbmq wrote: |
Second one is around CHLAUTH
Once CHLAUTH is enabled the default rule listed below should effect the existing Clustered and distributed communication since a running clusrcvr channel shows MCAUSER as "mqm" however post enabling the CHLAUTh i could see that none of the clustered and Distributed channels were affected and they kept in running state
AMQ8878I: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN) |
TYPE(BLOCKUSER) only applies to SVRCONNs.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Fri Jun 05, 2020 1:31 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Thanks a lot Morag   |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
