| Author |
Message
|
| pardhunani143 |
 Posted: Thu Oct 10, 2013 2:45 pm Post subject: BlockIP2 Security Exit:IP Blocking |
 |
|
Novice
Joined: 23 Jul 2013
Posts: 22
|
1.
Is BlockIP2 can perform the following
• Remote Queue Manager Name Mapping
• Remote Queue Manager Name Blocking
2.Is BlockIP2 supports IP Address blocking,if so what is the keyword to set it
i couldnot get much details on BlockIp2 manual |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri Oct 11, 2013 12:11 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
There is plenty of detail, and examples, in the manual and on line but the best thing to do is 'play' with it until you achieve what you need to; which will also expand your understanding of the construction of the ini file.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pardhunani143 |
| Posted: Tue Oct 15, 2013 2:57 pm Post subject: |
|
|
Novice
Joined: 23 Jul 2013
Posts: 22
|
| can someone please advise... |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Oct 15, 2013 3:24 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
When you searched for these terms in the manual for BlockIP2, what did you find?
Post the link to the manual you looked this up in so that we can refer to the same document you have questions on. Maybe refer to the page # in that manual where you had some doubts?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| pardhunani143 |
| Posted: Thu Oct 17, 2013 3:41 pm Post subject: |
|
|
Novice
Joined: 23 Jul 2013
Posts: 22
|
As per BlockIP2 manual ,BlockIP2 supports for IP Address Blocking
For example :
If you are using BlockIP2 you can specify IP addresses in the configuration file by using the keyword “Patterns” .Patterns can include generic IP addresses or ranges and also DN names
e.g: Patterns=10.129.31, 10.129.3*, user1.station.com, user2
The above example is considered to be for IP Address filtering but can we say this is also for IP Address Blocking.. ????
I couldnot find anything related to Remote Queue Manager Name Mapping and Remote Queue Manager Name Blocking.
so can we say that BlockIP2 cannot perform Remote Queue Manager Name Mapping and Remote Queue Manager Name Blocking. ??? |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Oct 17, 2013 10:34 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| pardhunani143 wrote: |
As per BlockIP2 manual ,BlockIP2 supports for IP Address Blocking
For example :
If you are using BlockIP2 you can specify IP addresses in the configuration file by using the keyword “Patterns” .Patterns can include generic IP addresses or ranges and also DN names
e.g: Patterns=10.129.31, 10.129.3*, user1.station.com, user2
The above example is considered to be for IP Address filtering but can we say this is also for IP Address Blocking.. ????
I couldnot find anything related to Remote Queue Manager Name Mapping and Remote Queue Manager Name Blocking.
so can we say that BlockIP2 cannot perform Remote Queue Manager Name Mapping and Remote Queue Manager Name Blocking. ??? |
Are you looking for the analogue of CHLAUTH within BlockIP2, i.e. the ability to filter on a queue manager name only? If so I think you're out of luck. It clearly states "...and also DN names..." so I'd think it's expecting to derive that value from what's flowed across an SSL-enabled channel.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pardhunani143 |
| Posted: Fri Oct 18, 2013 12:51 pm Post subject: |
|
|
Novice
Joined: 23 Jul 2013
Posts: 22
|
exerk,
could you please elobarate more on your point
"so I'd think it's expecting to derive that value from what's flowed across an SSL-enabled channel."
are you saying BlockIP2 can extract the details from SSL Enabled channel and filter it based on Qmgr name
?? |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Oct 19, 2013 1:08 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Firstly, I don't use, or have extensively investigated the use of, BlockIP2. Having said that, a quick look through the manual gives the following information:
| Quote: |
1. CheckConnectionPattern()
Basic checking of connection names, based on Patterns= keyword
2. CheckBlockedUserId()
Basic checking of banned userids, based on BlockUsers= keyword
3. CheckUserId()
Basic checking of authorized userids, based on Userids= keyword
4. CheckCONList()
Advanced connection checking, based on CON= keywords
5. CheckSSLList()
Advanced connection checking, based on SSL= keywords
6. CheckBlankUser()
Checking for blank userids, controlled by +b option and
AllowBlankUserID= keyword.
7. CheckInvalidUsers()
Checking for invalid userids like mqm, MUSER_MQADMIN, controlled by –n
option and BlockMqmUsers= keyword. |
Note number 5, which means to me that the only way I can see that BlockIP2 derives the connecting queue manager name is from the CN value of the DN passed.
As I previously suggested, you should play around with it to see what it does, and off course the source code is freely available for you to adapt to your own needs and requirements.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pardhunani143 |
| Posted: Sat Oct 19, 2013 11:59 am Post subject: |
|
|
Novice
Joined: 23 Jul 2013
Posts: 22
|
I am just trying to compare if BlockIP2 can perform remote queue manager name mapping ,remote queue manager name blocking...
SET CHLAUTH(‘QM1.TO.QM2’) TYPE(QMGRMAP) QMNAME(QM1)
USERSRC(MAP) MCAUSER(‘QM1USER’)
The above CHLAUTH rule is to map the MCAUSER to QM1USER if any connetion arrives from QM1 Qmgr
Similarly in BlockIP2
SSL=CN=ibmwebspheremqQM1;MCA=QM1USER;
are the above CHLAUTH is analogus to the BlockIP2 property...
??
 |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Oct 19, 2013 12:49 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| pardhunani143 wrote: |
I am just trying to compare if BlockIP2 can perform remote queue manager name mapping ,remote queue manager name blocking...
SET CHLAUTH(‘QM1.TO.QM2’) TYPE(QMGRMAP) QMNAME(QM1)
USERSRC(MAP) MCAUSER(‘QM1USER’)
The above CHLAUTH rule is to map the MCAUSER to QM1USER if any connetion arrives from QM1 Qmgr
Similarly in BlockIP2
SSL=CN=ibmwebspheremqQM1;MCA=QM1USER;
are the above CHLAUTH is analogus to the BlockIP2 property...
??
|
No. The CHLAUTH rule is using the queue manager name passed down the channel, the BlockIP2 rule is using the value of the CN attribute passed down the channel, and that doesn't have to be the name of the queue manager.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
