ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Blockip2 to Channel Authentication Records transission

Post new topic  Reply to topic
 Blockip2 to Channel Authentication Records transission « View previous topic :: View next topic » 
Author Message
cronydude
PostPosted: Fri Sep 21, 2012 8:55 am    Post subject: Blockip2 to Channel Authentication Records transission Reply with quote

Voyager

Joined: 11 Nov 2001
Posts: 85
Location: US
Hi,

We had been using blockip2 to restrict client connections to our queue managers for a while. We just started migrating to WMQ v7.1 and now we plan to replace Blockip2 with Channel Authentication Records (CAR). Having gone through the documentation multiple times, I am still confused with the concept, at least on replicating our existing Blockip2 rules using CAR. In any case, I came up with CARs that may work but I want to get help from experts here.

For example, a svrconn has a junk id as mcaid and it invokes Blockip2 spec with below rules in it. The spec allows connections only from ip 10.123.45.678 AND with userid 'ApplicationUserId'. Then the id 'ApplicationUserId' gets mapped to 'MappedUserid' that has sufficient authorities on the queue manager and other objects. Any other connection attempts are blocked. So we block everything and then have a white list.

========================================

## Block WMQ default users
BlockMqmUsers=Y;

## App connection
CON=10.123.45.678;ApplicationUserId;MCA=MappedUserid;

## Block all other connections
CON=*;*;BLOCK;

=========================================

Trying to replicate the above rules using the following CAR rules:

=========================================
## Block ALL channels for ALL users and ALL addresses
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Block everyone everywhere')

SET CHLAUTH('APP.SVRCONN') TYPE(USERMAP) CLNTUSER('ApplicationUserId') MCAUSER('MappedUserid') ADDRESS('10.123.45.678') DESCR('Application Name')

==========================================

When I put this to work, it seems to be working but somehow I am not confident, so just want to get some expert opinion here. What do you guys think ?Does anyone see a loop hole here ?

Appreciate your time and suggestions.Thanks for your help in advance.
_________________
Regs,
crony
IBM Certified Specialist - MQSeries
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Blockip2 to Channel Authentication Records transission
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.