| Author |
Message
|
| Mallik |
 Posted: Tue Sep 21, 2004 10:00 pm Post subject: BLOCKIP with java clients.. |
 |
|
Acolyte
Joined: 29 Feb 2004
Posts: 53
|
I am trying to use BLOCKIP security exit with Java clients. I have tested the exit by specifying some IP's in the SVRCONN channel SCYDATA attribute and the exit allows only connections from the specific IP's.
I would like to know if there is a way to control the users also connecting from these IPs. I specified the '-n' option in SCYDATA and the exit is blocking the 'mqm' & 'musr_mqadmin' users.
Lets say I want to allow user 'user1' and block all other users from the same IP. Is it some thing we can achieve with BLOCKIP exit? I can have the developers use 'MQEnvironment.userID=user1' and giving the appropriate priveleges in the server side for that user. Still any other user who has login on the client box could do the same thing to connect to the QMGR. Please correct me if I am wrong here, and your suggestions are much appreciated.
Thanks |
|
| Back to top |
|
 |
| Michael Dag |
| Posted: Wed Sep 22, 2004 3:37 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
setup 2 channels, one for developpers, one for admins.
you have to set something in the mcauser, leaving it blank
let's any unidentified java user in as mqm... (many posts on this subject)
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| Mallik |
| Posted: Wed Sep 22, 2004 9:49 am Post subject: |
|
|
Acolyte
Joined: 29 Feb 2004
Posts: 53
|
| Quote: |
setup 2 channels, one for developpers, one for admins.
you have to set something in the mcauser |
That is exactly what I wanted to do.
Channel1 for java clients:
DEFFINE CHL(DEVELOPER.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('mqdev')
setmqaut -m QMGR -t qmgr -g mqdev +allmqi
setmqaut -m QMGR -t q -n "*.**" -g mqdev +allmqi
Channel2 for other users(just for browsing the queues):
DEFFINE CHL(USER.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('mquser')
setmqaut -m QMGR -t qmgr -g mquser +connect +inq
setmqaut -m QMGR -t q -n "*.**" -g mquser +browse +inq
This works fine as long as regular user use the channel 'USER.SVRCONN' to browse the queues. But what if the same user try to use 'DEVELOPER.SVRCONN' channel to put or get messages to/from the queue? Is there any way to stop this user from using the channel 'DEVELOPER.SVRCONN'?
My understanding is defining the channel 'DEVELOPER.SVRCONN' with a MCAUSER of 'mqdev' means who ever use this channel, will have all the rights specified for the 'mqdev' user on the qmgr & q's and can do put or get to the queues. Please correct me if I am wrong here. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Sep 22, 2004 2:10 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
That's why ypu have BlockIP!
you can limit the access to a certain channel based on IP address or Userid coming in.
so for the dev channel you could allow access for dev_user1 from any IP address, or allow access to the dev channel to any user coming from the 'dev' network which is in a certain IP address range like 10.10.123.*
(suppose the users are in 10.10.124.*)
load's of options to play with!
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| Mallik |
| Posted: Wed Sep 22, 2004 5:14 pm Post subject: |
|
|
Acolyte
Joined: 29 Feb 2004
Posts: 53
|
uhm.. I think I didn't explain it clearly.
Lets talk about only one IP(10.10.123.254) and say I have set BLOCKIP to only allow connections from this IP and deny all others.
1. For developers I would like to use 'DEVELOPER.SVRCONN' with +allmqi for the MCAUSER 'mqdev'.
2. For all other users I would like to use channel USER.SVRCONN with +browse options for the MCAUSER 'mquser'.
Now from this IP(10.10.123.254), how can I control one user (say 'mquser', whom I wanted to have only browse permissions) from not using the other channel 'DEVELOPER.SVRCONN'(which has a MCAUSER of 'mqdev' and has +allmqi permissions)?
If I leave the MCAUSER blank, java clients connect as 'mqm' user. If I specify 'aaa' as MCAUSER, any user can use the channel and connect as the user 'aaa' and have all permissions of that user. Again all this from the same IP(10.10.123.254). Not sure If I am missing something here.
Thanks |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Sep 22, 2004 7:05 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Your not missing anything. BlockIP does just what its name implies, blocks at the IP level.
I don't think SSL will help, as all users on the same machine would have access to the same SSL certs (not sure on this one).
So, if you have multiple users from the same IP address coming to a QM, and you want to allow some users on Channel1 but not Channel2, and all users know the names of both channels (see below), then the only solution is to write a Security Exit that prompts the user for a UserID and Password.
You can also Name Channel2 some weird name that won't be easily guessed ("NDE087gbd__nkj%pppq"), and hope no one talks, but that is kind of cheesy.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Sep 22, 2004 10:36 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| PeterPotkay wrote: |
Your not missing anything. BlockIP does just what its name implies, blocks at the IP level.
|
Peter, the latest version of BlockIP2 does user + IP blocking using patterns, have a look.
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| Mallik |
| Posted: Mon Sep 27, 2004 3:01 pm Post subject: |
|
|
Acolyte
Joined: 29 Feb 2004
Posts: 53
|
| Quote: |
| the latest version of BlockIP2 does user + IP blocking using patterns, have a look. |
MichaelDag,
It took a while for me to test both user & IP combination.
I have specified the following.
Patterns=**.**.**.**;
Userids=user1;
BlockMqmUsers=Y
The exit is blocking all users except 'user1'. Then I logged in as 'user2' and wrote a small Java prog and specified MQEnvironment.userID = "user1" using the same channel. Now 'user2' also able to conect to the qmgr as 'user1' which I want to stop. How can we stop 'user2' from not accessing this channel this way? Please clarify if you are talking anything differently or if there is another approach.
Thanks. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Sep 27, 2004 7:07 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| PeterPotkay wrote: |
So, if you have multiple users from the same IP address coming to a QM, and you want to allow some users on Channel1 but not Channel2, and all users know the names of both channels (see below), then the only solution is to write a Security Exit that prompts the user for a UserID and Password.
|
You need to filter by something that is unique to user1 that user2 cannot impersonate. A password known only to user1 is the only way I can think of. As you have found out, it is very easy for user2 to "look" like user1.
Michael, I forgot BlockIP does the ID filter as well. Unfortunatly, without passwords, IDs alone in MQSeries are useless for authentication, escpecially when Java is involved.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| hguapluas |
| Posted: Fri Oct 15, 2004 7:26 am Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
| If you are on a windows environment (don't know how this would work on others), at the target Queue "domain mqm" group, create separate user accounts for user1 and user2 and give them different passwords. Windows MQ can use these accounts to determine if a connect should be made and will stop/break a connection if the account doesn't validate. That is one of the reasons the 'Red Books' mention setting up multiple mqm accounts in a windows environment to help control connections from remote/client MQ systems. (This is what I've found out so far in my testing. Correct me if I'm wrong please.) |
|
| Back to top |
|
|
|
|
