| Author |
Message
|
| vishnurajnr |
 Posted: Thu Jun 26, 2014 9:41 pm Post subject: channel authentication rule to allow user from particular IP |
 |
|
Centurion
Joined: 08 Aug 2011
Posts: 134
Location: Trivandrum
|
Hi,
I would like to put a channel authentication rule such that it will allow one of my SVRCONN channel accessible to particular user accessing from particular IP address, and block all other connections.
This is what i have set:
| Quote: |
--bloack all IPs
SET CHLAUTH(DEVUSR.TXNCHL) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) WARN(NO) ACTION(ADD)
--Bloack all Users
SET CHLAUTH(DEVUSR.TXNCHL) TYPE(BLOCKUSER) USERLIST('*NOACCESS')
--allow devuser user from IP xx.xx.xx.xxx
SET CHLAUTH('DEVUSR.TXNCHL') TYPE(USERMAP) ADDRESS('xx.xx.xx.xxx') CLNTUSER('devuser') USERSRC(CHANNEL) ACTION(ADD) |
This is enabling the user 'devuser' to access the channel, but at the same time it is allowing 'devuser' to access the channel from any IP address.
I want to block 'devuser' from accessing the channel from all other IPs other that the one I have given in chlauth rule.
Any help is highly appreciated. Thanks!
MQ version: 7.5.0.3
OS: AIX
Note: I have removed the default chlauth rules FYI. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Jun 26, 2014 11:58 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You need to change your rule to say
| Code: |
| SET CHLAUTH('DEVUSR.TXNCH') TYPE(USERMAP) CLNTUSER('devuser') USERSRC(CHANNEL) ADDRESS('xx.xx.xx.xx') DESCR('allow user at xx.xx.xx.xx') ACTION(ADD) |
Use the MQExplorer to model your rule and then copy the created code and apply across the environment as needed...
Make sure that you don't have an address map rule for address xx.xx.xx.xx as that would allow any user from that address access ...
Of course you created the backstop rule for that channel with address('*') usersrc(noaccess):
| Code: |
| SET CHLAUTH('DEVUSR.TXNCH') TYPE(USERMAP) CLNTUSER('devuser') USERSRC(NOACCESS) ADDRESS('*') WARN(NO) ACTION(ADD) |
That will prevent the user from having access on any other ip.
You can also make this interdiction more generic by preventing any user from any ip to access this channel as a backstop rule... (addressmap) type rule...
find Morag's post on developerworks about using runmqsc display channelauth match (runcheck) to find out what rule would be applied for what condition...
Your blockuser rule userlist ('*NOACCESS') does not do what you think it does...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| vishnurajnr |
| Posted: Fri Jun 27, 2014 2:18 am Post subject: |
|
|
Centurion
Joined: 08 Aug 2011
Posts: 134
Location: Trivandrum
|
Thanks a lot fjb_saper...!!!
When I try to find the chlauth rules that are aaplied using display chlauth match (runcheck), it is found that the chlauth was disabled at queue manger level.
I have enabled and my rule was working as expected then...!!!
But I am wondering when the chlauth was disabled at queue manager level, how the devuser was able to access the channel? My rules were executing or not? |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jun 27, 2014 2:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| vishnurajnr wrote: |
| But I am wondering when the chlauth was disabled at queue manager level...My rules were executing or not? |
Maybe you'd like to rethink the logic of that question 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jun 27, 2014 5:35 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| vishnurajnr wrote: |
| But I am wondering when the chlauth was disabled at queue manager level, how the devuser was able to access the channel? My rules were executing or not? |
When you researched the CHLAUTH qmgr attribute, what did it say about DISABLED?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| vishnurajnr |
| Posted: Fri Jun 27, 2014 5:48 am Post subject: |
|
|
Centurion
Joined: 08 Aug 2011
Posts: 134
Location: Trivandrum
|
| exerk wrote: |
| Maybe you'd like to rethink the logic of that question |
I have figured out the issue..
While the Queue manager chlauth was disabled, there was the user level mq authentication already set using the setmqaut commands.
So when I was checking, the user level access to channel was possible since it was set by setmqaut and actually not controlled by the chlauth rules.
That's why I was able to connect regardless of the IP addresses.
And once chlauth was ENABLED at Queue Manager level, I was able to see the IP address level restriction on place...
Thanks all for your help.. have a nice weekend.. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jun 27, 2014 8:34 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| vishnurajnr wrote: |
| While the Queue manager chlauth was disabled, there was the user level mq authentication already set using the setmqaut commands... |
And with CHLAUTH enabled there will still be user-level checking in place. CHLAUTH does not over-ride, or replace, authority checking; it merely adds another layer of security above it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
