| Author |
Message
|
| yasaboy |
 Posted: Thu Sep 18, 2014 11:17 pm Post subject: Setting Channel security |
 |
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Hi,
I am trying to add the channel security feature to my application. I have done the following upto now.
1) Check the QManager attributes and set CHLAUTH(DISABLED)
My system works fine
| Code: |
| (./MQPUT_TOOL TEST.OUTQUEUE1 Q.MAN.TEST 172.25.xx.xx 22507 TEST.CHANNEL) |
2) Enabled the CHLAUTH
| Code: |
| ALTER QMGR CHLAUTH(ENABLED) |
Now the same ./MQPUT_TOOL system gives MQCONNX ended with reason code 2035 (Authentication error )
3) Then I get that I need do SET CHLAUTH for the specific user that the app is running on. So I tried all of these below but nothing works
my runtime user ID
| Code: |
> id
> uid=558(dev51) gid=500(oinstall) groups=500(oinstall),555(mqm) |
So I tried to do as
| Code: |
SET CHLAUTH('TEST.CHANNEL') TYPE(USERMAP) CLNTUSER('dev51') ADDRESS(172.25.xx.xx) USERSRC(CHANNEL)
SET CHLAUTH('TEST.CHANNEL') TYPE(USERMAP) CLNTUSER(558) ADDRESS(172.25.83.80) USERSRC(CHANNEL)
SET CHLAUTH('TEST.CHANNEL') TYPE(ADDRESSMAP) ADDRESS('172.25.xx.xx') MCAUSER('mqm') |
What am I missing ? Isn't my CLNTUSER parameter correct ? |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Sep 19, 2014 4:58 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So your last rule maps any user coming in over a specific IP address to the mqm user.
The mqm user is blocked by the default BLOCKUSER rule.
If you want to prevent the mqm user, or any other member of the *MQADMIN set, then you need to create an additional MORE SPECIFIC blockuser rule that blocks a user that doesn't exist - perhaps the notyetfamous user "TROBWUZHERE" |
|
| Back to top |
|
|
| yasaboy |
| Posted: Fri Sep 19, 2014 5:21 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
@jeff
My CHLAUTH(*) command shows this outputs
| Code: |
display chlauth(*)
15 : display chlauth(*)
AMQ8878: Display channel authentication record details.
CHLAUTH(TEST.CHANNEL) TYPE(USERMAP)
ADDRESS(172.xx.xx.xx) CLNTUSER(dev51)
MCAUSER(mqm)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN) |
Are you referring to the last one of them.
What I simply trying to do is to use amqsput using dev51 via TEST.CHANNEL.
Do you mean like over riding the last command from CHLAUTH(*) to some specific user so that all the others will not be blocked ? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 19, 2014 5:44 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
What I mean is creating a CHLAUTH rule of type BLOCKUSER that will match your channel and NOT block *MQADMIN.
And, sorry, I meant to say "If you *do not want to prevent* the mqm user, or any other member of the *MQADMIN set, from connecting then" |
|
| Back to top |
|
|
| yasaboy |
| Posted: Fri Sep 19, 2014 6:01 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Added the command below as you suggested
| Code: |
SET CHLAUTH('TEST.CHANNEL') TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(ADD)
|
Now it shows like this
| Code: |
AMQ8878: Display channel authentication record details.
CHLAUTH(TEST.CHANNEL) TYPE(BLOCKUSER)
USERLIST(*MQADMIN) |
But it still gives the error
| Code: |
| MQCONNX ended with reason code 2035 |
for the user dev51. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 19, 2014 6:03 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| yasaboy wrote: |
Added the command below as you suggested
| Code: |
SET CHLAUTH('TEST.CHANNEL') TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(ADD)
|
|
Yes.
That *blocks* everyone in *MQADMIN.
You want to block *only* someone else. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Sep 19, 2014 6:10 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1948
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
| yasaboy |
| Posted: Fri Sep 19, 2014 6:14 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Thank you very much @mqjeff it worked for now even if I didn't understood the concept fully.
@hughson :: will do. Thank you very much for helping me out here !!! |
|
| Back to top |
|
|
| yasaboy |
| Posted: Wed Oct 01, 2014 3:05 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Hi,
Is there any other advanced method which involve a keystore or C/C++ code level implementation to implement the Channel Security.
I understand that we need a keystore to implement the AMS in IBMMQ. But can we use that concept in implementing Channel security  |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Oct 01, 2014 7:36 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1948
Location: Bay of Plenty, New Zealand
|
| yasaboy wrote: |
Is there any other advanced method which involve a keystore or C/C++ code level implementation to implement the Channel Security.
I understand that we need a keystore to implement the AMS in IBMMQ. But can we use that concept in implementing Channel security |
You can use SSL/TLS on channels yes. This seems too obvious an answer though. Is that really what you are asking? Perhaps I have misinterpreted your question?
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Oct 01, 2014 9:22 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1237
Location: Gold Coast of Florida, USA
|
If you use SSL/TLS in conjunction with CHLAUTH rules, you could map inbound connections with certain DN values to certain users.
For instance, I have an AD ID that is nothing like my UNIX ID that is nothing like my z/OS ID. For each Qmgr, I map my connection by my certificate contents to the ID I need at each machine (channel by channel). |
|
| Back to top |
|
|
| yasaboy |
| Posted: Wed Oct 01, 2014 8:10 pm Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| hughson wrote: |
You can use SSL/TLS on channels yes. This seems too obvious an answer though. Is that really what you are asking? Perhaps I have misinterpreted your question?
Cheers
Morag |
No i want to implement the SSL/TLS on channels together with CHLAUTH rules. I have done the CHLAUTH part now and researching on how to enable SSL/TLS. Any reference of a good start point 
Thanks in advance |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Oct 02, 2014 6:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| yasaboy wrote: |
| hughson wrote: |
You can use SSL/TLS on channels yes. This seems too obvious an answer though. Is that really what you are asking? Perhaps I have misinterpreted your question?
Cheers
Morag |
No i want to implement the SSL/TLS on channels together with CHLAUTH rules. I have done the CHLAUTH part now and researching on how to enable SSL/TLS. Any reference of a good start point
Thanks in advance |
There's nothing different about using SSL with CHLAUTH than using SSL without CHLAUTH.
They are two entirely separate things - except that CHLAUTH gives you the ability to map/block based on SSL criteria.
The Info/Knowledge center has several very detailed sections on implementing SSL. |
|
| Back to top |
|
|
|
|
