| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| CHLAUTH Question |
« View previous topic :: View next topic » |
| Author |
Message
|
| wmbwmq |
 Posted: Wed Mar 24, 2021 4:28 am Post subject: CHLAUTH Question |
 |
|
Acolyte
Joined: 18 Jul 2011
Posts: 66
|
Howdy,
I am unable to figure out why the NOACCESS is not enforced in the below scenario.
So I have the following CHLAUTH rules set.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
CHLAUTH(*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
CHLAUTH(SYSTEM.DEF.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
dis chl(SYSTEM.DEF.SVRCONN) mcauser
CHANNEL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN)
MCAUSER(mqm)
But I am able to connect to the QMGR from MQ explorer using this channel. I thought the CHLAUTH rules above specifically blocks any connection on that channel (at multiple levels, including that USERLIST(*MQADMIN) blocking)?
DISPLAY CHLAUTH ('SYSTEM.DEF.SVRCONN') MATCH (RUNCHECK) ADDRESS('<my-desk-ip>') CLNTUSER('<My-AD-User>')
AMQ8898: Display channel authentication record details - currently disabled.
CHLAUTH(SYSTEM.DEF.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
dis chlauth(SYSTEM.DEF.SVRCONN) all
CHLAUTH(SYSTEM.DEF.SVRCONN) TYPE(ADDRESSMAP)
DESCR(Default rule to allow MQ Explorer access)
CUSTOM( ) ADDRESS(*)
USERSRC(NOACCESS) WARN(NO)
ALTDATE(2021-03-23) ALTTIME(14.19.59)
dis chs(SYSTEM.DEF.SVRCONN)
CHANNEL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN)
CONNAME(<my-desk-ip>) CURRENT
STATUS(RUNNING) SUBSTATE(RECEIVE)
MQ Version: 9.0.0.6
What am I missing? |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Wed Mar 24, 2021 5:25 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
CHLAUTH enabled at qmgr?
You did a refresh security?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| wmbwmq |
| Posted: Wed Mar 24, 2021 6:07 am Post subject: |
|
|
Acolyte
Joined: 18 Jul 2011
Posts: 66
|
Oops rookie mistake. This is embarrassing
Someone else disabled chlauth earlier and I missed to check that part.
Thank you Bruce. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Mar 24, 2021 7:44 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
I won’t tell anyone.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Mar 29, 2021 12:58 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1964
Location: Bay of Plenty, New Zealand
|
| wmbwmq wrote: |
| AMQ8898: Display channel authentication record details - currently disabled. |
| wmbwmq wrote: |
Oops rookie mistake. This is embarrassing
Someone else disabled chlauth earlier and I missed to check that part.
Thank you Bruce. |
We knew when we designed CHLAUTH that some people would do this, so we tried to help by outputting the above message, snipped from the output in your initial question. Sigh...
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
