ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityCHLAUTH to check IP address AND the client user

Post new topicReply to topic
CHLAUTH to check IP address AND the client user View previous topic :: View next topic
Author Message
PeterPotkay
PostPosted: Sat Nov 01, 2014 5:33 pm Post subject: CHLAUTH to check IP address AND the client user Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7557

I wanted to create a CHLAUTH rule that only allows a connection if it comes from a specific IP address and by a specific user, but there is no way to get both of those conditions in one CHLAUTH command.

I have to do this:
Code:

SET CHLAUTH('MYCHANNEL') TYPE(ADDRESSMAP) ADDRESS('111.222.33.44') USERSRC(MAP) MCAUSER('cooldude') ACTION(REPLACE)
SET CHLAUTH('MYCHANNEL') TYPE(USERMAP) CLNTUSER('peter') USERSRC(MAP) MCAUSER('cooldude') ACTION(REPLACE)


But then it allows the connection and maps to cool dude if the connection come from that client user OR from that IP.

Is there anyway to make it happen so it has to be that client user AND that source IP?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
smdavies99
PostPosted: Sat Nov 01, 2014 10:47 pm Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6077
Location: Somewhere over the Rainbow this side of Never-never land.

I know that Morag will probably disagree with this but it might be worth exploring

1) Create a rule on the Listener to filter the IP address
2) Create the rule on the Channel to filter the User.

If what you need is not possible without using the listener then I guess that it will be time for (yet) another RFE.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat Nov 01, 2014 11:54 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20107
Location: LI,NY

To set the rule for the channel with ip and user
  • first set a backstop blocking all IP's.
    Careful if you make the backstop too generic (*) it may also affect other channels that will have to be authorized (receiver, cluster receiver)...
  • create a specific rule (channel) to allow the user and specify the IP (wizard)

Code:
SET CHLAUTH('PETER') TYPE(USERMAP) CLNTUSER('peter') USERSRC(MAP) MCAUSER('mcauser_ Peter') ADDRESS('127.0.0.1') DESCR('See for peter on local host') ACTION(ADD)


Note with V8 you may have to create the same rule replacing the address IP with the host name, depending on your settings.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
PeterPotkay
PostPosted: Sun Nov 02, 2014 5:42 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7557

Thanks FJ!

I was trying to added a CLNTUSER to an ADDRESSMAP rule and it wouldn't take it. It was late last night and didn't think to try what you suggested: Add the IP Address into a USERMAP rule.

I think this should work even without the backstop rule.

First I defined MYCHANNEL and placed an invalid ID in the MCAUSER called BOGUS_ID_991

Then I run the CHLAUTH command like this:
Code:

SET CHLAUTH('MYCHANNEL') TYPE(USERMAP) CLNTUSER('peter') USERSRC(MAP) MCAUSER('cooldude') ADDRESS('111.222.33.44') ACTION(REPLACE)
     1 : SET CHLAUTH('MYCHANNEL') TYPE(USERMAP) CLNTUSER('peter') USERSRC(MAP) MCAUSER('cooldude') ADDRESS('111.222.33.44') ACTION(REPLACE)
AMQ8877: WebSphere MQ channel authentication record set.


Let's test.

What happens when neither the IP or client is correct?
Code:

DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('10.222.33.44') CLNTUSER('frankie')
     3 : DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('10.222.33.44') CLNTUSER('frankie')
AMQ9783: Channel will run using MCAUSER('BOGUS_ID_991').

Blocked - correct.

What happens when the IP address is correct but the client ID is wrong?
Code:

DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('frankie')
     2 : DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('frankie')
AMQ9783: Channel will run using MCAUSER('BOGUS_ID_991').

Blocked - correct.

What happens when the client ID is correct but the IP address is wrong?
Code:

DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('10.222.33.44') CLNTUSER('peter')
     5 : DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('10.222.33.44') CLNTUSER('peter')
AMQ9783: Channel will run using MCAUSER('BOGUS_ID_991').

Blocked - correct.

What happens when its the correct ID coming from the correct IP?
Code:

DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('peter')
     6 : DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('peter')
AMQ8878: Display channel authentication record details.
   CHLAUTH(MYCHANNEL)                      TYPE(USERMAP)
   ADDRESS(111.222.33.44)                  CLNTUSER(peter)
   MCAUSER(cooldude)


Success!

I don't have the back stop rule on this QM because every incoming channel either has a invalid ID inn the MCAUSER (like this test channel), and /or the Capitalware MQAUSX Security Exit is running in Authentication mode on the channel.


I think this will do it - the channel will only run if it comes from the correct IP address AND the correct client user.

Many thanks FJ! This particular client can't / won't use SSL or MQAUSX, so CHLAUTHing them against both IP and ID was desirable.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sun Nov 02, 2014 9:13 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20107
Location: LI,NY

Glad it works for you.
Putting an invalid mcauser on the channel is like backstopping...

I used the IP backstop because I allowed the user on the channel without specifying an mcauser. Has to be populated because of non privileged rule.

But the risk if you don't ip backstop is anybody with authorization on the qmgr and a non privileged ID can use the channel if coming from any IP.

This is moot as you are using an unauthorized mcauser id as default and map all authorized users...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Michael Dag
PostPosted: Sat Nov 15, 2014 11:14 am Post subject: Reply with quote

Jedi Knight

Joined: 13 Jun 2002
Posts: 2602
Location: The Netherlands (Amsterdam)

PeterPotkay wrote:

Many thanks FJ! This particular client can't / won't use SSL or MQAUSX, so CHLAUTHing them against both IP and ID was desirable.

Good reason to get to V8 native authentication will solve that and and will keep your channels safe from unauthenticated users.
_________________
Michael



MQSystems Facebook page
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
hughson
PostPosted: Wed Nov 19, 2014 2:24 am Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1253
Location: Bay of Plenty, New Zealand

PeterPotkay wrote:
What happens when its the correct ID coming from the correct IP?
Code:

DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('peter')
     6 : DISPLAY CHLAUTH('MYCHANNEL') MATCH(RUNCHECK) ADDRESS('111.222.33.44') CLNTUSER('peter')
AMQ8878: Display channel authentication record details.
   CHLAUTH(MYCHANNEL)                      TYPE(USERMAP)
   ADDRESS(111.222.33.44)                  CLNTUSER(peter)
   MCAUSER(cooldude)


Success!

I think this will do it - the channel will only run if it comes from the correct IP address AND the correct client user.
Yup - this is what we call an address restrictor. You can add ADDRESS to any of TYPE(USERMAP), TYPE(QMGRMAP) and TYPE(SSLPEERMAP). See Restricting the mappings.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Anant.v
PostPosted: Tue Sep 26, 2017 11:43 am Post subject: Reply with quote

Apprentice

Joined: 26 Nov 2014
Posts: 40
Location: Malaysia

Hi Peter,

Apologies to open up an old thread,

We are also using MQAUSX sec exit. Is there a way in it to mention that a successful connection will only occur if a specific user tries to connect from a specific IP ?

We are not in a position to utilize CHLAUTH for this particular qmgr
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Fri Sep 29, 2017 2:37 pm Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3133
Location: London, ON Canada

Anant.v wrote:
Hi Peter,

Apologies to open up an old thread,

We are also using MQAUSX sec exit. Is there a way in it to mention that a successful connection will only occur if a specific user tries to connect from a specific IP ?

We are not in a position to utilize CHLAUTH for this particular qmgr

It would be far, far better to send your MQAUSX questions to support@capitalware.com as I'll answer it immediately rather than wait for me or anyone else to answer it here.

The MQAUSX download archive includes all of the manuals and you can find the latest manuals here: http://www.capitalware.com/mqausx_manuals.html

Open the MQAUSX Server-side Installation and Operation manual and go to the section called: "Allow or Restrict the Incoming UserID". In the current version of the manual, it is section 5.15. To allow only certain UserIds, you need to use the following keywords:
Code:
UseAllowUserID=Y
AllowUserID=fred;barney;wilma;betty


Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityCHLAUTH to check IP address AND the client user
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.