| Author |
Message
|
| ivanachukapawn |
 Posted: Tue Mar 10, 2015 9:39 am Post subject: Backstop-rule and exception no working |
 |
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
After putting in the Backstop_rule, I created a CHLAUTH record (positive exception to the Backstop-Rule) for
Profile: CLNTCHAN.SVRCONN.1
Channel Auth Type: User map
Client User ID: ivanachukapawn
User Source: map
MCA UserID: ivanachukapawn
This positive exception rule did not work.
To get it to work, I created another CHLAUTH record and kept the User Map record.
Profile: CLNTCHAN.SVRCONN.1
Channel Auth Type: Address Map
Address: 185.13.*.*
User Source: Map
MCA UserID: ivanachukapawn
I don't understand why it works with the two positive rules but doesn't work with just the User Map rule. Isn't a User Map rule sufficient to override the BackStop-Rule? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Mar 10, 2015 11:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
The usermap rule should be sufficient. But you neglected to specify the IP in the usermap. Which means the backstop rule wins... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 10, 2015 11:52 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
FJB,
I don't understand why BackStop-Rule wins when subnet address not supplied in User Map record.
Morag's example of positive Backstop_rule exceptions shows a User Map record with no address supplied.
| Quote: |
| SET CHLAUTH('*.SVRCONN') TYPE(USERMAP) CLNTUSER('mhughson') MCAUSER('hughson@hursley') |
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 10, 2015 12:03 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
| ivanachukapawn wrote: |
FJB,
I don't understand why BackStop-Rule wins when subnet address not supplied in User Map record.
Morag's example of positive Backstop_rule exceptions shows a User Map record with no address supplied.
| Quote: |
| SET CHLAUTH('*.SVRCONN') TYPE(USERMAP) CLNTUSER('mhughson') MCAUSER('hughson@hursley') |
|
It depends on what the backstop rules relies.
Say you have a backstop rule relying on ip *=> all ips are blocked.
So you have a more specific usermap rule with no ip information.
Backstop rule still in effect!.
If you add ip information to your usermap then the backstop rule is overlayied by the more specific usermap rule.
What did the dis chlauth match runcheck say?
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 10, 2015 12:08 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
FJB -
In Morag's article, she shows the backstop rule =
| Quote: |
| SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule') |
then she shows the positive exception to this backstop rule =
| Quote: |
| SET CHLAUTH('*.SVRCONN') TYPE(USERMAP) CLNTUSER('mhughson') MCAUSER('hughson@hursley') |
is Morag's documentation incorrect? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 10, 2015 12:16 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
No, you're just missing the line before that where she opened the ip?
| Code: |
| SET CHLAUTH('APPL1.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('9.20.1-3.*') USERSRC(CHANNEL) |
Did you check with dis chlauth(mychannel) type(all) match (runcheck).... ?
What rule did it say was blocking you?
Strange. Did a test with usermap only (no ip specified) and it behaved like all ips allowed... Which version and fixpack are you using for your test?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 10, 2015 12:31 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
Larger quote from Morag =
| Quote: |
Now that we have closed the door on all remote connections we can start to put more specific rules in place to allow certain connections in. Here are some examples:
SET CHLAUTH('APPL1.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('9.20.1-3.*') USERSRC(CHANNEL)
SET CHLAUTH('SYSTEM.ADMIN.*') TYPE(SSLPEERMAP) SSLPEER('O=IBM') USERSRC(CHANNEL)
SET CHLAUTH('TO.QM2') TYPE(QMGRMAP) QMNAME('QM1') USERSRC(MAP) MCAUSER('QM1USER')
SET CHLAUTH('*.SVRCONN') TYPE(USERMAP) CLNTUSER('mhughson') MCAUSER('hughson@hursley')
SET CHLAUTH('*') TYPE(SSLPEERMAP) SSLPEER('CN="Morag Hughson"') ADDRESS('9.*') MCAUSER('hughson') |
based on your reply, I guess we should interpret Morag's example as a "set" of exceptions which could be configured and not just a list of exceptions. If that is what Morag means, then and based on your earlier reply, apparently I could get this to work by specifying a User Map record which includes a subnet nnn.nn.*.* in the address field (I'll assume that I finally understand this). However, I have more questions about this subject:
Although I have a strong address * backstop rule, I have User Map records which authorize admins - these work without specifying positive exception to address *. i.e.
Channel Profile: SVRCONN.ADMIN
Channel Type: User Map
Client User ID: ivanachukapawn
User Source: Map
MCA UserID: mqm
See? No positive exception for address *
Perhaps this User Map exception works because it maps the client User to 'mqm' ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 10, 2015 12:33 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
No I think your problem is that your username is longer than 12 chars...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 10, 2015 12:37 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
| No, that;s not it. This positive exception User Map rule works despite the strong address * backstop-rule - and without an address specification. I supplied the bogus "ivanachukapawn" as userID to protect the identity of the not-so-innocent. IDs for these environments are all < 12 characters. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 10, 2015 12:40 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
So now that you got it working without the host exemption, what was the problem before? Privileged userid maybe?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 10, 2015 12:40 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
| weak hypothesis at this point is that somehow the specification of 'mqm' for MCA UserID on the User Map record somehow overrode the need for a specific positive address specification. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 10, 2015 12:41 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
| ivanachukapawn wrote: |
| weak hypothesis at this point is that somehow the specification of 'mqm' for MCA UserID on the User Map record somehow overrode the need for a specific positive address specification. |
Should be wrong. I had it working with guest...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 10, 2015 12:47 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
| actually no other problem, other than understanding how channel auth works with the backstop-rule. What's so confusing is that one of the records doesn't work because of no specification of a host exception, and the other record (which maps to 'mqm') does work without a host exception. So now that both records can work, only remaining problem is to find out why. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 10, 2015 12:58 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
| ivanachukapawn wrote: |
| actually no other problem, other than understanding how channel auth works with the backstop-rule. What's so confusing is that one of the records doesn't work because of no specification of a host exception, and the other record (which maps to 'mqm') does work without a host exception. So now that both records can work, only remaining problem is to find out why. |
https://www.ibm.com/developerworks/mydeveloperworks/blogs/aimsupport/entry/blocked_by_chlauth_why?lang=en
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 10, 2015 1:07 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
FJB,
I don't see how a post re:
| Quote: |
| I'm being blocked by CHLAUTH - how can I work out why? |
is relevant to a question about 2 CHLAUTH records which do work and are not blocked. That's the problem. We said that one User Map record didn't work because there was no positive IP exception to the backstop-rule address *. no access - so I fixed that by putting a IP subnet in the address field of the User Map record. Rule now works. Then I have this other User Map record (mapping to 'mqm') which does work even though there is no positive IP exception to the backstop-rule.
Just for the record, the User IDs are < 12 characters in length, and I am running MQ 7.5.0.4 |
|
| Back to top |
|
|
|
|
