|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
|
|
CHLAUTHs seem to be ignored if SYSEXIT(BlockIP2) is used |
« View previous topic :: View next topic » |
Author |
Message
|
hsabl |
Posted: Wed Jul 08, 2020 6:06 am Post subject: CHLAUTHs seem to be ignored if SYSEXIT(BlockIP2) is used |
|
|
Newbie
Joined: 08 Jul 2020 Posts: 5
|
From MQ Version 8 since Fixpack 5 it seems that CHLAUTH records are ignored as soon as BlockIP2 exit is configured on the channel.
BlockIP log says : "Connection accepted"
MQ errorlog says:
AMQ9557: Queue Manager User ID initialization failed for 'ttt'.
EXPLANATION:
The call to initialize the User ID 'ttt' failed with CompCode 2 and Reason
2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
ACTION:
Correct the error and try again.
User "ttt" is the default MCAUSER on this channel .
CHLAUTH records ADDRESSMAP and USERMAP) are used to change it depending on client's IP and CLNTUSR .
If BlockIP2 is not used , everything works as expected and
access is done with user mqm for given IP as defined in CHLAUTH.
I would like to use BlockIP2 for logging the access using SVRCONN channels, which worked fine in lower MQ Fixes. |
|
Back to top |
|
|
RogerLacroix |
Posted: Wed Jul 08, 2020 1:40 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001 Posts: 3258 Location: London, ON Canada
|
Where is UserId "ttt" coming from? i.e. Is it in the channel's MCAUSER field or is it the client application's UserId? Or is it a value set by the application itself?
Regards,
Roger Lacroix
Capitalware Inc. _________________ Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
Back to top |
|
|
hsabl |
Posted: Wed Jul 08, 2020 1:59 pm Post subject: |
|
|
Newbie
Joined: 08 Jul 2020 Posts: 5
|
"ttt" is a non existing user configured on the channel to block any access which is not allowed by other CHLAUTH records. If I remove it from channel I see the user (CLNTUSR) from the computer who tries to access which is also not existing.
I expect that CHLAUTH records are used after BlockIP2 has allowed access, but that does not seem to be the case.
There is one CHLAUTH (ADDRESSMAP) record which does assign MCAUSER "mqm" for the client's IP address . That did work fine until fix pack 5 had applied.
Nothing else has been changed , same BlockIP2 binary, same paths , same BlockIP2 config file .
If BlcokIP2 is taken away from this channel CHLAUTH record (ADDRESSMAP) is giving access with user "mqm" for the given IP . |
|
Back to top |
|
|
RogerLacroix |
Posted: Wed Jul 08, 2020 2:36 pm Post subject: Re: CHLAUTHs seem to be ignored if SYSEXIT(BlockIP2) is used |
|
|
Jedi Knight
Joined: 15 May 2001 Posts: 3258 Location: London, ON Canada
|
IBM kept tweaking MQ security through various IBM MQ v8 Fix Packs.
hsabl wrote: |
From MQ Version 8 since Fixpack 5 |
That Fix Pack was released in May 2016. Why are you using it? You should be on Fix Pack 8.0.0.15. Or better, MQ 9.0.0.10. Or the best is to be on MQ 9.1.0.5.
In August 2018, IBM finalized the behaviour change with APAR IT25839. You can read it here: https://www.ibm.com/support/pages/node/725873
Basically, a channel security exit will be called twice. Once in step # 5 and then again in step # 9.
Logging in a channel security exit gets really tricky these days. You should read my blog posting before continuing.
So, as you can see from my blog posting, if SHARECNV is greater than 1 then it is pointless to log in step # 5 because only the primary thread will be logged.
BlockIP2 is a large (unsupported) program that is designed to filter/match/block client connections on a variety of fields.
<Vendor_Plug>
You may be interested in an extremely light-weight solution called MQ Channel Connection Inspector for your logging needs.
</Vendor_Plug>
Regards,
Roger Lacroix
Capitalware Inc. _________________ Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
Back to top |
|
|
fjb_saper |
Posted: Thu Jul 09, 2020 4:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20736 Location: LI,NY
|
Also did you set ChlAuthEarlyAdopt=E or =Y in your qm.ini ? _________________ MQ & Broker admin |
|
Back to top |
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|