| Author |
Message
|
| dextermbmq |
 Posted: Wed Dec 09, 2015 1:25 am Post subject: Clarification regarding CHLAUTH |
 |
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Hello All,
I have recently started working on MQ v7.5 and encountered the concept of CHLAUTH straightaway. I have a small doubt (need an elaborate info actually).
I have understood that by default any queue manager created with MQv 7.1 and above will have CHLAUTH as enabled and will have following 3 rules :
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('*MQADMIN')
SET CHLAUTH('SYSTEM.*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Default rule to disable all SYSTEM channels')
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) DESCR('Default rule to allow MQ Explorer access')
Now , I have created a new SVRCONN channel TEST.SVRCONN and was trying to connect the RFHUTIL to MQ Server :
TEST.SVRCONN/TCP/localhost(1415)
The MCA USER attribute of the TEST.SVRCONN channel is blank.I am logged in to my WINDOWS machine(RFHUTIL and MQ Server on same WINDOWS machine) through user : USER1 . USER1 is a part of MQADMIN group on WINDOWS machine so the first rule would block the access. I was able to resolve the issue by setting CHLAUTH rule as :
SET CHLAUTH('TEST.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody')
BUT THE ERROR LOG IN FIRST CASE INTRIGUED ME :
The inbound channel 'TEST.SVRCONN' was blocked from address '127.0.0.1' because
the active values of the channel were mapped to a userid which should be
blocked. The active values of the channel were 'MCAUSER(USER1)
CLNTUSER(USER1)'.
I undertsand CLNTUSER as USER1 but what does MCAUSER(USER1) signify here...I mean the MCAUSER was NULL so how is it getting populated |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Wed Dec 09, 2015 4:06 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7716
|
If the MCAUSER value is blank on the channel definition, it only means the MQ Administrator has not provided a value for that parameter ahead of time.
Every MQ SVRCONN channel has an MCAUSER value when its running - its just a matter of where that value came from for the running channel. Most of the time its either from the MQ Client (as in your case because there is no other source), or overwritten by the hard coded value in the channel's MCAUSER parameter (not in your case because you did not provide a value). CHLAUTH mapping rules and/or Security Exits can also interject and cause the channel to run with an MCAUSER value they choose.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Wed Dec 09, 2015 4:19 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Thanks a ton Peter  ..This explains the MCAUSER getting automatically populated in my case..By any chance can you provide a link having more info (detailed info) on this. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Dec 09, 2015 5:03 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9405
Location: US: west coast, almost. Otherwise, enroute.
|
Search google for CHLAUTH.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| NealM |
| Posted: Fri Dec 18, 2015 9:47 am Post subject: |
|
|
Master
Joined: 22 Feb 2011
Posts: 230
Location: NC or Utah (depends)
|
| Along these lines, has anyone had any trouble getting channel authentication for MQ Explorer to work with an MQ v8 QMgr? The technote at http://www-01.ibm.com/support/docview.wss?uid=swg21577137 has been updated to say it applies to v8 as well, but when we follow solution # 2a, which has always worked on our MQ v7.1 and v7.5 installations, on v8, we get an AMQ4036 authorization error on MQ Explorer, attempting to use the regular SYSTEM.ADMIN.SVRCONN or a new one, with or without the addressmap type on the new channel. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Dec 18, 2015 10:27 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
| NealM wrote: |
| Along these lines, has anyone had any trouble getting channel authentication for MQ Explorer to work with an MQ v8 QMgr? The technote at http://www-01.ibm.com/support/docview.wss?uid=swg21577137 has been updated to say it applies to v8 as well, but when we follow solution # 2a, which has always worked on our MQ v7.1 and v7.5 installations, on v8, we get an AMQ4036 authorization error on MQ Explorer, attempting to use the regular SYSTEM.ADMIN.SVRCONN or a new one, with or without the addressmap type on the new channel. |
In order for that to work with MQ8 you would need to create an AUTHINFO that says don't care...
Remember with MQ8 you need an AUTHENTICATION via user / password .
So if you don't provide them from MQ Explorer, no connection... See the connection properties tabs for passing user and password...
Alternatively you could use the mqccred user authentication exit ...
Have fun 
_________________
MQ & Broker admin
Last edited by fjb_saper on Fri Dec 18, 2015 10:30 am; edited 1 time in total |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Dec 18, 2015 10:28 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
On a v8 queue manager, you also need to create an AUTHINFO object that does not require user/password. Unless you're sending user/password.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| NealM |
| Posted: Fri Dec 18, 2015 3:31 pm Post subject: |
|
|
Master
Joined: 22 Feb 2011
Posts: 230
Location: NC or Utah (depends)
|
Thanks guys!
For now I set both CHCKLOCL(NONE) and CHCKCLNT(NONE) on a new authinfo object until we decide on how much security we need. That worked fine.
For those who also have run into this and want to know more, search on Connection authentication: Configuration in the MQ v8 knowledge center. |
|
| Back to top |
|
|
|
|
