ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral DiscussionMQ explorer and mqm user access to QM v8

Post new topicReply to topic
MQ explorer and mqm user access to QM v8 View previous topic :: View next topic
Author Message
zrux
PostPosted: Mon Oct 12, 2020 5:05 am Post subject: MQ explorer and mqm user access to QM v8 Reply with quote

Apprentice

Joined: 21 May 2006
Posts: 30
Location: UK

Hi

I am in the process of tightening the security on the new v8 QM in terms of SVRCONN channel access, I have enabled CHLAUTH(ENABLED)
and set
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

Question is - How do I now setup the rules for allowing MQ explorer for any desktop user from any IP on specific channel (EXPLORER.SVRCONN) on all MQ Objects

Also, how do I allow access for mqm user using specific channel (MQM.SVRCONN) on all MQ Objects


DEFINE CHANNEL(AA_CHL) +
CHLTYPE(SVRCONN) +
MCAUSER(NOACCESS) replace

def ql(SOME_QUEUE)

SET CHLAUTH(AA_CHL) TYPE(USERMAP) +
CLNTUSER('aa_usr') +
USERSRC(MAP) +
MCAUSER('aa_usr') +
ACTION(ADD)


SET AUTHREC +
GROUP('aa_usr') +
OBJTYPE(QMGR) +
AUTHADD(CONNECT,INQ,DSP,ALTUSR)

SET AUTHREC PROFILE(SOME_QUEUE) +
GROUP('aa_usr') +
OBJTYPE(QUEUE) +
AUTHADD(GET,PUT,DSP,INQ)


SET AUTHREC PROFILE(**) +
GROUP('aa_usr') +
OBJTYPE(QUEUE) +
AUTHADD(DSP)
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Oct 13, 2020 8:09 pm Post subject: Re: MQ explorer and mqm user access to QM v8 Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1504
Location: Bay of Plenty, New Zealand

zrux wrote:
I am in the process of tightening the security on the new v8 QM in terms of SVRCONN channel access


I am happy to hear that you want to tighten the security on your queue manager.

zrux wrote:
I have enabled CHLAUTH(ENABLED) and set CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)


Are you leaving the SYSTEM.DEFAULT.AUTHINFO.IDPWOS with all it's default values? I would suggest using the ADOPTCTX(YES) value (which is the default at newer version of MQ than V8). btw - V8 is now out of service, suggest you might want to get a more modern version?

zrux wrote:
Question is - How do I now setup the rules for allowing MQ explorer for any desktop user from any IP on specific channel (EXPLORER.SVRCONN) on all MQ Objects


You can set up a CHLAUTH rule as follows:-

Code:
SET CHLAUTH(EXPLORER.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED)


Since you mentioned using CONNAUTH at the start of your post, I have assumed that to have some actually security on this (rather than just an IP filter as your question suggests, since that could literally allow in ANYONE). I have therefore concluded that, as a minimum, you want to check user IDs and passwords (that's what CHCKCLNT(REQUIRED) instructs). Since you are authenticating the provided user id with its password, I have in this rule, decided to take the user ID provided by the MQ Explorer user for authorisation checks (that's what USERSRC(CHANNEL) instructs).

So let's assume that each MQ Explorer user is given a user ID (and password) for a user in the group 'explorer' which will be used for authorisation checks. I assume that this group will be a read only Explorer group. If you need more operations you can add more authorities as required. Having created these user IDs, and added them to the group 'explorer', you would need to also set the following AUTHREC profiles in place.

Code:
* First the rules to allow interaction with the command server *
SET AUTHREC GROUP('explorer') OBJTYPE(QUEUE) PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE)    AUTHADD(PUT,INQ,DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(QUEUE) PROFILE(SYSTEM.MQEXPLORER.REPLY.MODEL) AUTHADD(GET,DSP)

* Now the rules to grant read-only access to all objects *
SET AUTHREC GROUP('explorer') OBJTYPE(QMGR)                   AUTHADD(DSP,INQ,CONNECT)
SET AUTHREC GROUP('explorer') OBJTYPE(QUEUE)    PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(TOPIC)    PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(AUTHINFO) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(CHANNEL)  PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(CLNTCONN) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(COMMINFO) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(LISTENER) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(NAMELIST) PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(PROCESS)  PROFILE('**') AUTHADD(DSP)
SET AUTHREC GROUP('explorer') OBJTYPE(SERVICE)  PROFILE('**') AUTHADD(DSP)


zrux wrote:
Also, how do I allow access for mqm user using specific channel (MQM.SVRCONN) on all MQ Objects

You can have administrative users that are not members of the mqm group. How to do this is described in this blog post: A non-privileged MQ administrator

Should you actually NEED remote mqm access, this blog post covers how to do that: CHLAUTH - Allow some privileged admins

I also recommend you set a CHLAUTH Backstop rule - read CHLAUTH - the back-stop rule for more details

Remember, that tightening security means actually adding some authorisation and some authentication. One without the other, is not enough.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Wed Oct 14, 2020 4:43 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20394
Location: LI,NY

You say you're on V8. Make sure your MQExplorer and MQ Server are at least on 8.0.0.4 or higher as there are inconsistencies at the lower level. Best go to 9.2.0.1. V8 is already out of support.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral DiscussionMQ explorer and mqm user access to QM v8
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.