ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Queue/channel security

Post new topic  Reply to topic
 Queue/channel security « View previous topic :: View next topic » 
Author Message
ttechsavvy
PostPosted: Wed May 05, 2021 3:56 am    Post subject: Queue/channel security Reply with quote

Novice

Joined: 09 Sep 2020
Posts: 10

Hello

Kind of beginner question but how (or is it even possible) to implement user/pass security qmgr to qmgr set up?

Backstory: We have set up mq server (v9.2.1) and have couple of connected partners. They use mq qmgr so we have server to server connections. We also have one internal client connection which collects messages from different queues. In client connection, I have implemented user/pass security and gave authorizations inside mq server to connect and consume messages.

How would I configure the same with the server to server connection? Add user to local system, give authorizations inside mq server and partner adds user/pass to channel configuration? I tried this but havent had any luck
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed May 05, 2021 4:25 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

What o/s platform(s)?

How exactly have you implemented MQ user/pass security so far?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
ttechsavvy
PostPosted: Wed May 05, 2021 4:36 am    Post subject: Reply with quote

Novice

Joined: 09 Sep 2020
Posts: 10

Server is running on Linux.

With our internal client connection, I added user/pass to local server (Linux) and gave authorizations to this user (connect to qmgr, consume messages from queues). Client is an Java application and uses these credentials
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed May 05, 2021 5:47 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

I asked you to be precise. How exactly did you add user/pass? What exactly did you do?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
ttechsavvy
PostPosted: Wed May 05, 2021 6:15 am    Post subject: Reply with quote

Novice

Joined: 09 Sep 2020
Posts: 10

Sorry, here are the steps:

Linux:

useradd user
passwd user

Ibm MQ:

setmqaut -m qmgr -t qmgr -p user +connect
setmqaut -m qmgr -n queue -t queue -p user +put

So where to I have to add these credentials? Channel (mcauser and password)?
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed May 05, 2021 6:29 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

So, with a bit more technical MQ terminology precision, you have SENDER-RECIEVER channels between qmgrs.

Search google for MQ CHLAUTH records. CHLAUTH records can ascribe an identity to a channel end, and allow/refuse connection based on the partners DNS identity.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed May 05, 2021 6:46 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Moved to security forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed May 05, 2021 7:36 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

You have mentioned user/pass in your post. MQ relies on the o/s and/or an external security manager, like LDAP or PAM or RACF, to authenticate user/pass credentials.

If you are new to MQ, may I strongly suggest that you enroll in an MQ system administration course, and/or download and read MQ primer documentation.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed May 05, 2021 10:49 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

ttechsavvy wrote:

setmqaut -m qmgr -t qmgr -p user +connect
setmqaut -m qmgr -n queue -t queue -p user +put

So where to I have to add these credentials?

Setmqaut control command grants/removes authorizations to resources, not credentials.
ttechsavvy wrote:
Channel (mcauser and password)?

MCAUSER is a channel attribute you can define manually, or you can assign with CHLAUTH records.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
ttechsavvy
PostPosted: Thu May 06, 2021 4:04 am    Post subject: Reply with quote

Novice

Joined: 09 Sep 2020
Posts: 10

First of all, thanks for the replies and information.

Went through the documentation about CHLAUTH again and found interesting line for sender-receiver connection:

CHLAUTH rules can be used on any channel, but there are some restrictions. For example, USERMAP rules apply to SVRCONN channels only.

Link: https://www.ibm.com/docs/en/ibm-mq/9.2?topic=issues-creating-new-chlauth-rules-channels

So, let me get this straight:

There is no way to implement user/pass security without LDAP, PAM or RACF?

I just taught that I can apply the same chlauth records to sender-receiver connection as I did with the client.


Also what I tried:

Added new user to Linux. Gave authorization to connect to qmgr and consume messages for specific queue. Then, added new CHLAUTH record to allow connection from specific qmgr with previously created user.

This seems to work right now.

Pasting the commands again also:

Code:

# Lock down all access:
SET CHLAUTH('TO.MYSVR1') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
DESCR('Back-stop rule')

# Then allow access from queue manager MYSVR2 and from a particular ipaddress:
SET CHLAUTH('TO.MYSVR1') TYPE(QMGRMAP) QMNAME('MYSVR2') USERSRC(MAP)
MCAUSER('mqapp') ADDRESS('192.168.1.134') ACTION(ADD)
Back to top
View user's profile Send private message
bruce2359
PostPosted: Thu May 06, 2021 5:57 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

ttechsavvy wrote:
So, let me get this straight:

There is no way to implement user/pass security without LDAP, PAM or RACF?

Please be precise. User/pass security of what?

CONNAUTH rules specify where user and password SUPPLIED BY AN APPLICATION will be authenticated - either the o/s or LDAP.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu May 06, 2021 9:04 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

ttechsavvy wrote:
Also what I tried:

Added new user to Linux. Gave authorization to connect to qmgr and consume messages for specific queue. Then, added new CHLAUTH record to allow connection from specific qmgr with previously created user.

This seems to work right now.

Pasting the commands again also:

Code:

# Lock down all access:
SET CHLAUTH('TO.MYSVR1') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
DESCR('Back-stop rule')

# Then allow access from queue manager MYSVR2 and from a particular ipaddress:
SET CHLAUTH('TO.MYSVR1') TYPE(QMGRMAP) QMNAME('MYSVR2') USERSRC(MAP)
MCAUSER('mqapp') ADDRESS('192.168.1.134') ACTION(ADD)


So what you describe is assigning the user ID 'mqapp' to be used for authority for that channel from that queue manager. No where in the above is a password utilised. So there is no proof that this queue manager is allowed to use this user ID except for the fact that it has made a connection from the IP address you mention. If that's what you want, all good, but you seem to have mentioned user/pass a number of times throughout this thread, and I just wanted to make sure you realise that you are not using the password at all here.

You appear to have also already discovered that there is a difference between the CHLAUTH rules that can be applied to a QMgr-QMgr channel versus a Client-SvrConn channel. This is because the Client-SvrConn is DIRECTLY connected to the application and so user IDs and password from inside the application can be made use of. For QMgr-QMgr channels there is no direct link to the application so only things related to the network connection (IP address, qmgr-name, and SSL x509 attributes) an be used in CHLAUTH. There is no User/Password involved in the QMgr-QMgr channel to be processed as part of CHLAUTH or CONNAUTH.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
ttechsavvy
PostPosted: Fri May 07, 2021 3:18 am    Post subject: Reply with quote

Novice

Joined: 09 Sep 2020
Posts: 10

Thanks for the explanation! This is what I was trying to figure out.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Queue/channel security
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.