ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexUser ExitsBlockIP2 Problems on Linux

Post new topicReply to topic
BlockIP2 Problems on Linux View previous topic :: View next topic
Author Message
vanushreevyas
PostPosted: Mon Nov 28, 2011 5:31 am Post subject: BlockIP2 Problems on Linux Reply with quote

Novice

Joined: 28 Nov 2011
Posts: 20

Hello,

We have implemented BLOCKIP2 on a single server connection channel on a queue manager on Linux environment for MQ version 7.0.1.3.

BlockIP2 is configured not to allow connection for Blank user id's.
On most of the times BlockIP2 does work as expected and stops the application from establishing a connection.

But sometimes we can see BlockIP2 has not succeeded in refusing the connection. BlockIP2 was implemented a week back and since then we can see atleast 2 connections out of 1000's have been allowed with blank user id (using CHSTADA parameter for server connection channel). Rest all were refused as expected.
Even the BlockIP2 log does not contain any information for these connections.

Is BlockIP2 failing to work under heavy load? Has anyone seen this problem before? If BlockIP2 works for 998 instances of the same channel why wud it not work for just 2?

Thanks and Regards,
Vanu
Back to top
View user's profile Send private message
zpat
PostPosted: Mon Nov 28, 2011 6:29 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5559
Location: UK

Version of BlockIP2 ?
Back to top
View user's profile Send private message
vanushreevyas
PostPosted: Mon Nov 28, 2011 6:42 am Post subject: Reply with quote

Novice

Joined: 28 Nov 2011
Posts: 20

V 2.93
Back to top
View user's profile Send private message
zpat
PostPosted: Mon Nov 28, 2011 6:55 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5559
Location: UK

There is a way to deal with this. Although I have never seen it happen.

Set the SVRCONN to have mcauser=NoBody (where this id does not exist).

Set the BlockIP2 parms to include these lines at the end. This allows non-blank ids to continue, but if the exit is not called they will fail due to Nobody.

CON=*;BLANK_USERID;BLOCK;
CON=*;*;MCA=*;
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Nov 28, 2011 7:50 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17448

Is it possible that the failures to block are occuring for user id's that are all spaces, rather than nulls?
Back to top
View user's profile Send private message
vanushreevyas
PostPosted: Mon Nov 28, 2011 8:24 am Post subject: Reply with quote

Novice

Joined: 28 Nov 2011
Posts: 20

mqjeff - The failure is occuring for null user id's. It seems that the security exit is not getting called once among many connection attempts as there is no logging for connection accepted in the log for BlockIP2.
Back to top
View user's profile Send private message
vanushreevyas
PostPosted: Wed Nov 30, 2011 4:33 am Post subject: Reply with quote

Novice

Joined: 28 Nov 2011
Posts: 20

Anohter problem I have come across is that I can see connection refused for a particular IP in the BlockIP2 log but at eactly the same time I can see a connection has been established on the channel.

Information from log:
2011-11-30|11:15:19|1674218384| Connection refused for pattern [10.27.66.91;10.27.66.221;10.27.67.27;10.27.66.223;10.27.66.198;] ChannelName=[O.SVRCONN.C1] user=[obtest1] ConnName=[10.231.189.31]

Stats for channel:

CHANNEL(O.SVRCONN.C1) CHLTYPE(SVRCONN)
CHSTADA(2011-11-30) CHSTATI(11.15.19)
CONNAME(10.231.189.31) CURRENT
MCAUSER( ) STATUS(RUNNING)
SUBSTATE(RECEIVE)


BlockIP2.ini file:

QMGR=QM1;
CHANNEL=O.SVRCONN.C1;
Patterns=10.27.66.91,10.27.66.221,10.27.67.27,10.27.66.223,10.27.66.198;
Userids=wlsesbaa,wlsesbau,wlsesbca,wlsescap;

Am wondering if I have missed out something during configuration!
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexUser ExitsBlockIP2 Problems on Linux
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.