ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexUser ExitsCHLAUTHs seem to be ignored if SYSEXIT(BlockIP2) is used

Post new topicReply to topic
CHLAUTHs seem to be ignored if SYSEXIT(BlockIP2) is used View previous topic :: View next topic
Author Message
hsabl
PostPosted: Wed Jul 08, 2020 6:06 am Post subject: CHLAUTHs seem to be ignored if SYSEXIT(BlockIP2) is used Reply with quote

Newbie

Joined: 08 Jul 2020
Posts: 5

From MQ Version 8 since Fixpack 5 it seems that CHLAUTH records are ignored as soon as BlockIP2 exit is configured on the channel.

BlockIP log says : "Connection accepted"

MQ errorlog says:

AMQ9557: Queue Manager User ID initialization failed for 'ttt'.

EXPLANATION:
The call to initialize the User ID 'ttt' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
ACTION:
Correct the error and try again.

User "ttt" is the default MCAUSER on this channel .
CHLAUTH records ADDRESSMAP and USERMAP) are used to change it depending on client's IP and CLNTUSR .

If BlockIP2 is not used , everything works as expected and
access is done with user mqm for given IP as defined in CHLAUTH.

I would like to use BlockIP2 for logging the access using SVRCONN channels, which worked fine in lower MQ Fixes.
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Wed Jul 08, 2020 1:40 pm Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3178
Location: London, ON Canada

Where is UserId "ttt" coming from? i.e. Is it in the channel's MCAUSER field or is it the client application's UserId? Or is it a value set by the application itself?

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
hsabl
PostPosted: Wed Jul 08, 2020 1:59 pm Post subject: Reply with quote

Newbie

Joined: 08 Jul 2020
Posts: 5

"ttt" is a non existing user configured on the channel to block any access which is not allowed by other CHLAUTH records. If I remove it from channel I see the user (CLNTUSR) from the computer who tries to access which is also not existing.
I expect that CHLAUTH records are used after BlockIP2 has allowed access, but that does not seem to be the case.
There is one CHLAUTH (ADDRESSMAP) record which does assign MCAUSER "mqm" for the client's IP address . That did work fine until fix pack 5 had applied.
Nothing else has been changed , same BlockIP2 binary, same paths , same BlockIP2 config file .

If BlcokIP2 is taken away from this channel CHLAUTH record (ADDRESSMAP) is giving access with user "mqm" for the given IP .
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Wed Jul 08, 2020 2:36 pm Post subject: Re: CHLAUTHs seem to be ignored if SYSEXIT(BlockIP2) is used Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3178
Location: London, ON Canada

IBM kept tweaking MQ security through various IBM MQ v8 Fix Packs.

hsabl wrote:
From MQ Version 8 since Fixpack 5

That Fix Pack was released in May 2016. Why are you using it? You should be on Fix Pack 8.0.0.15. Or better, MQ 9.0.0.10. Or the best is to be on MQ 9.1.0.5.

In August 2018, IBM finalized the behaviour change with APAR IT25839. You can read it here: https://www.ibm.com/support/pages/node/725873

Basically, a channel security exit will be called twice. Once in step # 5 and then again in step # 9.

Logging in a channel security exit gets really tricky these days. You should read my blog posting before continuing.

So, as you can see from my blog posting, if SHARECNV is greater than 1 then it is pointless to log in step # 5 because only the primary thread will be logged.

BlockIP2 is a large (unsupported) program that is designed to filter/match/block client connections on a variety of fields.

<Vendor_Plug>

You may be interested in an extremely light-weight solution called MQ Channel Connection Inspector for your logging needs.

</Vendor_Plug>

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Thu Jul 09, 2020 4:52 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20392
Location: LI,NY

Also did you set ChlAuthEarlyAdopt=E or =Y in your qm.ini ?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexUser ExitsCHLAUTHs seem to be ignored if SYSEXIT(BlockIP2) is used
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.