ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ API Support » Setting Channel security

Post new topic  Reply to topic
 Setting Channel security « View previous topic :: View next topic » 
Author Message
yasaboy
PostPosted: Thu Sep 18, 2014 11:17 pm    Post subject: Setting Channel security Reply with quote

Voyager

Joined: 23 Jun 2014
Posts: 90

Hi,

I am trying to add the channel security feature to my application. I have done the following upto now.

1) Check the QManager attributes and set CHLAUTH(DISABLED)

My system works fine
Code:
(./MQPUT_TOOL TEST.OUTQUEUE1 Q.MAN.TEST 172.25.xx.xx 22507 TEST.CHANNEL)


2) Enabled the CHLAUTH

Code:
ALTER QMGR CHLAUTH(ENABLED)


Now the same ./MQPUT_TOOL system gives MQCONNX ended with reason code 2035 (Authentication error )

3) Then I get that I need do SET CHLAUTH for the specific user that the app is running on. So I tried all of these below but nothing works

my runtime user ID
Code:
> id
> uid=558(dev51) gid=500(oinstall) groups=500(oinstall),555(mqm)


So I tried to do as

Code:
runmqsc  Q.MAN.TEST


Code:
SET CHLAUTH('TEST.CHANNEL') TYPE(USERMAP) CLNTUSER('dev51') ADDRESS(172.25.xx.xx) USERSRC(CHANNEL)

SET CHLAUTH('TEST.CHANNEL') TYPE(USERMAP) CLNTUSER(558) ADDRESS(172.25.83.80) USERSRC(CHANNEL)

SET CHLAUTH('TEST.CHANNEL') TYPE(ADDRESSMAP) ADDRESS('172.25.xx.xx') MCAUSER('mqm')



What am I missing ? Isn't my CLNTUSER parameter correct ?
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Sep 19, 2014 4:58 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

So your last rule maps any user coming in over a specific IP address to the mqm user.

The mqm user is blocked by the default BLOCKUSER rule.

If you want to prevent the mqm user, or any other member of the *MQADMIN set, then you need to create an additional MORE SPECIFIC blockuser rule that blocks a user that doesn't exist - perhaps the notyetfamous user "TROBWUZHERE"
Back to top
View user's profile Send private message
yasaboy
PostPosted: Fri Sep 19, 2014 5:21 am    Post subject: Reply with quote

Voyager

Joined: 23 Jun 2014
Posts: 90

@jeff

My CHLAUTH(*) command shows this outputs


Code:
display chlauth(*)
    15 : display chlauth(*)

AMQ8878: Display channel authentication record details.
   CHLAUTH(TEST.CHANNEL)                    TYPE(USERMAP)
   ADDRESS(172.xx.xx.xx)                   CLNTUSER(dev51)
   MCAUSER(mqm)                 
       
AMQ8878: Display channel authentication record details.
   CHLAUTH(SYSTEM.ADMIN.SVRCONN)           TYPE(ADDRESSMAP)
   ADDRESS(*)                              USERSRC(CHANNEL)

AMQ8878: Display channel authentication record details.
   CHLAUTH(SYSTEM.*)                       TYPE(ADDRESSMAP)
   ADDRESS(*)                              USERSRC(NOACCESS)

AMQ8878: Display channel authentication record details.
   CHLAUTH(*)                              TYPE(ADDRESSMAP)
   ADDRESS(*)                              USERSRC(NOACCESS)

AMQ8878: Display channel authentication record details.
   CHLAUTH(*)                              TYPE(BLOCKUSER)
   USERLIST(*MQADMIN)



Are you referring to the last one of them.
What I simply trying to do is to use amqsput using dev51 via TEST.CHANNEL.

Do you mean like over riding the last command from CHLAUTH(*) to some specific user so that all the others will not be blocked ?
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Sep 19, 2014 5:44 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

What I mean is creating a CHLAUTH rule of type BLOCKUSER that will match your channel and NOT block *MQADMIN.

And, sorry, I meant to say "If you *do not want to prevent* the mqm user, or any other member of the *MQADMIN set, from connecting then"
Back to top
View user's profile Send private message
yasaboy
PostPosted: Fri Sep 19, 2014 6:01 am    Post subject: Reply with quote

Voyager

Joined: 23 Jun 2014
Posts: 90

Added the command below as you suggested

Code:
SET CHLAUTH('TEST.CHANNEL') TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(ADD)


Now it shows like this

Code:
AMQ8878: Display channel authentication record details.
   CHLAUTH(TEST.CHANNEL)                    TYPE(BLOCKUSER)
   USERLIST(*MQADMIN)     


But it still gives the error

Code:
MQCONNX ended with reason code 2035
for the user dev51.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Sep 19, 2014 6:03 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

yasaboy wrote:
Added the command below as you suggested

Code:
SET CHLAUTH('TEST.CHANNEL') TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(ADD)


Yes.

That *blocks* everyone in *MQADMIN.

You want to block *only* someone else.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Sep 19, 2014 6:10 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Try reading this:-
https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/chlauth_allow_some_privileged_admins

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
yasaboy
PostPosted: Fri Sep 19, 2014 6:14 am    Post subject: Reply with quote

Voyager

Joined: 23 Jun 2014
Posts: 90

Thank you very much @mqjeff it worked for now even if I didn't understood the concept fully.

@hughson :: will do. Thank you very much for helping me out here !!!
Back to top
View user's profile Send private message
yasaboy
PostPosted: Wed Oct 01, 2014 3:05 am    Post subject: Reply with quote

Voyager

Joined: 23 Jun 2014
Posts: 90

hughson wrote:
Try reading this:-
https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/chlauth_allow_some_privileged_admins

Cheers
Morag



Hi,

Is there any other advanced method which involve a keystore or C/C++ code level implementation to implement the Channel Security.

I understand that we need a keystore to implement the AMS in IBMMQ. But can we use that concept in implementing Channel security
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Oct 01, 2014 7:36 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

yasaboy wrote:
Is there any other advanced method which involve a keystore or C/C++ code level implementation to implement the Channel Security.

I understand that we need a keystore to implement the AMS in IBMMQ. But can we use that concept in implementing Channel security
You can use SSL/TLS on channels yes. This seems too obvious an answer though. Is that really what you are asking? Perhaps I have misinterpreted your question?

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
JosephGramig
PostPosted: Wed Oct 01, 2014 9:22 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

If you use SSL/TLS in conjunction with CHLAUTH rules, you could map inbound connections with certain DN values to certain users.

For instance, I have an AD ID that is nothing like my UNIX ID that is nothing like my z/OS ID. For each Qmgr, I map my connection by my certificate contents to the ID I need at each machine (channel by channel).
Back to top
View user's profile Send private message AIM Address
yasaboy
PostPosted: Wed Oct 01, 2014 8:10 pm    Post subject: Reply with quote

Voyager

Joined: 23 Jun 2014
Posts: 90

hughson wrote:
You can use SSL/TLS on channels yes. This seems too obvious an answer though. Is that really what you are asking? Perhaps I have misinterpreted your question?

Cheers
Morag


No i want to implement the SSL/TLS on channels together with CHLAUTH rules. I have done the CHLAUTH part now and researching on how to enable SSL/TLS. Any reference of a good start point

Thanks in advance
Back to top
View user's profile Send private message
mqjeff
PostPosted: Thu Oct 02, 2014 6:10 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

yasaboy wrote:
hughson wrote:
You can use SSL/TLS on channels yes. This seems too obvious an answer though. Is that really what you are asking? Perhaps I have misinterpreted your question?

Cheers
Morag


No i want to implement the SSL/TLS on channels together with CHLAUTH rules. I have done the CHLAUTH part now and researching on how to enable SSL/TLS. Any reference of a good start point

Thanks in advance


There's nothing different about using SSL with CHLAUTH than using SSL without CHLAUTH.

They are two entirely separate things - except that CHLAUTH gives you the ability to map/block based on SSL criteria.

The Info/Knowledge center has several very detailed sections on implementing SSL.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ API Support » Setting Channel security
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.