| Author |
Message
|
| dnoam |
 Posted: Mon Mar 06, 2006 5:28 am Post subject: Identify specific clients (when using MCAUSER) |
 |
|
Apprentice
Joined: 23 Jan 2006
Posts: 25
|
Hi.
Config: AIX Clients, Win2003 Server.
We're developing MQ applications that run on AIX Clients.
We're using MCAUSER, so all the clients appear as the same user.
Thus, MQCONN will always succeed.
However, we would like to identify the clients before MQCONN, to make sure it's only the clients allowed to access the MQ Server.
How can we identify the clients?
Is there any data specific to the client machine that we can check before (or after) MQCONN?
TIA |
|
| Back to top |
|
 |
| wschutz |
| Posted: Mon Mar 06, 2006 6:48 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Why not leave MCAUser blank?
_________________
-wayne |
|
| Back to top |
|
|
| Nigelg |
| Posted: Mon Mar 06, 2006 7:44 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
You can use teh client CONNAME.
_________________
MQSeries.net helps those who help themselves.. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Mar 06, 2006 3:36 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Why not use SSL?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| csmith28 |
| Posted: Mon Mar 06, 2006 7:44 pm Post subject: |
|
|
Grand Master
Joined: 15 Jul 2003
Posts: 1196
Location: Arizona
|
Or define a unique SVRCONN Channel for each application to use.
_________________
Yes, I am an agent of Satan but my duties are largely ceremonial. |
|
| Back to top |
|
|
| dnoam |
| Posted: Mon Mar 06, 2006 10:35 pm Post subject: |
|
|
Apprentice
Joined: 23 Jan 2006
Posts: 25
|
| wschutz wrote: |
| Why not leave MCAUser blank? |
We have a problem with authenticating the users.
They are LDAP users, in a group called DOMAIN_USERS, included in mqm on the MQ Server.
But still, MQCONN fails (2035).
Defining all the users on the MQ server is out of the question.
That's why I used MCAUSER.
I'd appreciate any suggestion. |
|
| Back to top |
|
|
| dnoam |
| Posted: Tue Mar 07, 2006 12:16 am Post subject: |
|
|
Apprentice
Joined: 23 Jan 2006
Posts: 25
|
| Nigelg wrote: |
| You can use teh client CONNAME. |
Assuming you're refering to a channel definition, please note we don't have one.
On the clients we use MQSERVER=Chlname/TCP/hostname.
Is there anywhere else I can find CONNAME? |
|
| Back to top |
|
|
| wschutz |
| Posted: Tue Mar 07, 2006 2:51 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
You don't need a clntconn channel defintion, Nigel is referring to the conname that shows up in "dis chs(*)":
| Quote: |
AMQ8417: Display Channel Status details.
CHANNEL(EXIT.SVRCONN) CHLTYPE(SVRCONN)
CONNAME(127.0.0.1) CURRENT
RQMNAME( ) STATUS(RUNNING)
SUBSTATE(RECEIVE) XMITQ( )
|
which is the connection IP of the client's machine....
_________________
-wayne |
|
| Back to top |
|
|
| SAFraser |
| Posted: Tue Mar 07, 2006 3:18 pm Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
| We use a security channel exit (BlockIP) on the SVRCONN. But you have to maintain a list of IPs that are authorized for access, so if it is a lot of client machines, it might not be practical. |
|
| Back to top |
|
|
| wschutz |
| Posted: Tue Mar 07, 2006 4:47 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| However, we would like to identify the clients before MQCONN, to make sure it's only the clients allowed to access the MQ Server. |
how are you planning on doing this? a table of valid clients? valid IP addresses? something else ....
and, as Jeff wrote:
_________________
-wayne |
|
| Back to top |
|
|
|
|
