| Author |
Message
|
| neverxp |
 Posted: Sun Jun 13, 2021 4:06 pm Post subject: CHLAUTH - Being blocked by Allow access rule |
 |
|
Newbie
Joined: 13 Jun 2021
Posts: 3
|
Hi,
I would like to create a channel authentication rule such that it will allow one of my SVRCONN channel accessible to a particular user, and block all other connections. But the allow access rule always blocks the user access when I run match(RUNCHECK) to check.
The rules I copied from IBM website.
--block all users
SET CHLAUTH('TEST.SVR.CONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('block all users') WARN(NO) ACTION(ADD)
--override - no MQM admin rule, allow privileged users
SET CHLAUTH('TEST.SVR.CONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('override no mqm admin rule') WARN(NO) ACTION(ADD)
--allow mqtest userid
SET CHLAUTH('TEST.SVR.CONN') TYPE(USERMAP) CLNTUSER('mqtest') USERSRC(CHANNEL) DESCR('allow mqtest userid') ACTION(ADD)
match(RUNCHECK):
display chlauth(TEST.SVR.CONN) match(RUNCHECK) clntuser('mqtest') address('192.168.1.1')
79 : display chlauth(TEST.SVR.CONN) match(RUNCHECK) clntuser('mqtest') address('192.168.1.1')
AMQ8878I: Display channel authentication record details.
CHLAUTH(TEST.SVR.CONN) TYPE(USERMAP)
ADDRESS( ) CLNTUSER(mqtest)
USERSRC(CHANNEL) |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sun Jun 13, 2021 8:39 pm Post subject: Re: CHLAUTH - Being blocked by Allow access rule |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| neverxp wrote: |
Hi,
I would like to create a channel authentication rule such that it will allow one of my SVRCONN channel accessible to a particular user, and block all other connections. But the allow access rule always blocks the user access when I run match(RUNCHECK) to check.
The rules I copied from IBM website.
--block all users
SET CHLAUTH('TEST.SVR.CONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('block all users') WARN(NO) ACTION(ADD)
--override - no MQM admin rule, allow privileged users
SET CHLAUTH('TEST.SVR.CONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('override no mqm admin rule') WARN(NO) ACTION(ADD)
--allow mqtest userid
SET CHLAUTH('TEST.SVR.CONN') TYPE(USERMAP) CLNTUSER('mqtest') USERSRC(CHANNEL) DESCR('allow mqtest userid') ACTION(ADD)
match(RUNCHECK):
display chlauth(TEST.SVR.CONN) match(RUNCHECK) clntuser('mqtest') address('192.168.1.1')
79 : display chlauth(TEST.SVR.CONN) match(RUNCHECK) clntuser('mqtest') address('192.168.1.1')
AMQ8878I: Display channel authentication record details.
CHLAUTH(TEST.SVR.CONN) TYPE(USERMAP)
ADDRESS( ) CLNTUSER(mqtest)
USERSRC(CHANNEL) |
I believe you're misinterpreting the runcheck output. It says the rule to be applied is the one you created for usermap. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| neverxp |
| Posted: Sun Jun 13, 2021 10:35 pm Post subject: Re: CHLAUTH - Being blocked by Allow access rule |
|
|
Newbie
Joined: 13 Jun 2021
Posts: 3
|
| fjb_saper wrote: |
| neverxp wrote: |
Hi,
I would like to create a channel authentication rule such that it will allow one of my SVRCONN channel accessible to a particular user, and block all other connections. But the allow access rule always blocks the user access when I run match(RUNCHECK) to check.
The rules I copied from IBM website.
--block all users
SET CHLAUTH('TEST.SVR.CONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('block all users') WARN(NO) ACTION(ADD)
--override - no MQM admin rule, allow privileged users
SET CHLAUTH('TEST.SVR.CONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('override no mqm admin rule') WARN(NO) ACTION(ADD)
--allow mqtest userid
SET CHLAUTH('TEST.SVR.CONN') TYPE(USERMAP) CLNTUSER('mqtest') USERSRC(CHANNEL) DESCR('allow mqtest userid') ACTION(ADD)
match(RUNCHECK):
display chlauth(TEST.SVR.CONN) match(RUNCHECK) clntuser('mqtest') address('192.168.1.1')
79 : display chlauth(TEST.SVR.CONN) match(RUNCHECK) clntuser('mqtest') address('192.168.1.1')
AMQ8878I: Display channel authentication record details.
CHLAUTH(TEST.SVR.CONN) TYPE(USERMAP)
ADDRESS( ) CLNTUSER(mqtest)
USERSRC(CHANNEL) |
I believe you're misinterpreting the runcheck output. It says the rule to be applied is the one you created for usermap. |
Yes, you are right. I got it wrong. But how to tell from the runcheck output that the access is blocked or allowed? |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Jun 14, 2021 2:42 am Post subject: Re: CHLAUTH - Being blocked by Allow access rule |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| neverxp wrote: |
| Yes, you are right. I got it wrong. But how to tell from the runcheck output that the access is blocked or allowed? |
The output is simply showing you the CHLAUTH rule that would match. You can tell by looking at the rule whether it is a block rule or an allow rule from looking at the TYPE and the USERSRC fields.
- TYPE(BLOCKUSER) is a blocking rule.
- TYPE(BLOCKADDR) is a blocking rule.
- TYPE(....MAP) is an allow rule unless USERSRC(NOACCESS) is coded in the rule.
Hope that helps.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| neverxp |
| Posted: Mon Jun 14, 2021 4:09 am Post subject: Re: CHLAUTH - Being blocked by Allow access rule |
|
|
Newbie
Joined: 13 Jun 2021
Posts: 3
|
| hughson wrote: |
| neverxp wrote: |
| Yes, you are right. I got it wrong. But how to tell from the runcheck output that the access is blocked or allowed? |
The output is simply showing you the CHLAUTH rule that would match. You can tell by looking at the rule whether it is a block rule or an allow rule from looking at the TYPE and the USERSRC fields.
- TYPE(BLOCKUSER) is a blocking rule.
- TYPE(BLOCKADDR) is a blocking rule.
- TYPE(....MAP) is an allow rule unless USERSRC(NOACCESS) is coded in the rule.
Hope that helps.
Cheers,
Morag |
This is really helpful. Thank you |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jun 14, 2021 9:31 am Post subject: Re: CHLAUTH - Being blocked by Allow access rule |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| neverxp wrote: |
The rules I copied from IBM website.
--block all users
SET CHLAUTH('TEST.SVR.CONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('block all users') WARN(NO) ACTION(ADD)
|
If I may nitpick for a moment... the DESCR above is misleading in that it does not block all users; rather, this is an address-mapping rule that blocks all addresses, and for this channel only.
I bring this up because clients (the human kind) often take literally what they read.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Jun 14, 2021 6:10 pm Post subject: Re: CHLAUTH - Being blocked by Allow access rule |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| bruce2359 wrote: |
| neverxp wrote: |
The rules I copied from IBM website.
--block all users
SET CHLAUTH('TEST.SVR.CONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('block all users') WARN(NO) ACTION(ADD)
|
If I may nitpick for a moment... the DESCR above is misleading in that it does not block all users; rather, this is an address-mapping rule that blocks all addresses, and for this channel only.
I bring this up because clients (the human kind) often take literally what they read. |
Yes, I'd be inclined to change the description to be:-
| Code: |
| DESCR('Block all connections to this channel') |
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
