| Author |
Message
|
| wmbwmq |
 Posted: Wed Mar 24, 2021 4:28 am Post subject: CHLAUTH Question |
 |
|
Acolyte
Joined: 18 Jul 2011
Posts: 66
|
Howdy,
I am unable to figure out why the NOACCESS is not enforced in the below scenario.
So I have the following CHLAUTH rules set.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
CHLAUTH(*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
CHLAUTH(SYSTEM.DEF.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
dis chl(SYSTEM.DEF.SVRCONN) mcauser
CHANNEL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN)
MCAUSER(mqm)
But I am able to connect to the QMGR from MQ explorer using this channel. I thought the CHLAUTH rules above specifically blocks any connection on that channel (at multiple levels, including that USERLIST(*MQADMIN) blocking)?
DISPLAY CHLAUTH ('SYSTEM.DEF.SVRCONN') MATCH (RUNCHECK) ADDRESS('<my-desk-ip>') CLNTUSER('<My-AD-User>')
AMQ8898: Display channel authentication record details - currently disabled.
CHLAUTH(SYSTEM.DEF.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
dis chlauth(SYSTEM.DEF.SVRCONN) all
CHLAUTH(SYSTEM.DEF.SVRCONN) TYPE(ADDRESSMAP)
DESCR(Default rule to allow MQ Explorer access)
CUSTOM( ) ADDRESS(*)
USERSRC(NOACCESS) WARN(NO)
ALTDATE(2021-03-23) ALTTIME(14.19.59)
dis chs(SYSTEM.DEF.SVRCONN)
CHANNEL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN)
CONNAME(<my-desk-ip>) CURRENT
STATUS(RUNNING) SUBSTATE(RECEIVE)
MQ Version: 9.0.0.6
What am I missing? |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Wed Mar 24, 2021 5:25 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 8887
Location: US: west coast, almost. Otherwise, enroute.
|
CHLAUTH enabled at qmgr?
You did a refresh security?
_________________
“Five out of four people have trouble with fractions.” - Steven Wright. |
|
| Back to top |
|
|
| wmbwmq |
| Posted: Wed Mar 24, 2021 6:07 am Post subject: |
|
|
Acolyte
Joined: 18 Jul 2011
Posts: 66
|
Oops rookie mistake. This is embarrassing
Someone else disabled chlauth earlier and I missed to check that part.
Thank you Bruce. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Mar 24, 2021 7:44 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 8887
Location: US: west coast, almost. Otherwise, enroute.
|
I won’t tell anyone.
_________________
“Five out of four people have trouble with fractions.” - Steven Wright. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Mar 29, 2021 12:58 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1549
Location: Bay of Plenty, New Zealand
|
| wmbwmq wrote: |
| AMQ8898: Display channel authentication record details - currently disabled. |
| wmbwmq wrote: |
Oops rookie mistake. This is embarrassing
Someone else disabled chlauth earlier and I missed to check that part.
Thank you Bruce. |
We knew when we designed CHLAUTH that some people would do this, so we tried to help by outputting the above message, snipped from the output in your initial question. Sigh...
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
