ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Biztalk MQSC authentication

Post new topic  Reply to topic Goto page 1, 2  Next
 Biztalk MQSC authentication « View previous topic :: View next topic » 
Author Message
mgrx
PostPosted: Sun Feb 07, 2016 2:51 am    Post subject: Biztalk MQSC authentication Reply with quote

Novice

Joined: 01 Oct 2015
Posts: 20

I am migrating our MQ Gateway QM from version 7.0 to version 8 and in the process I would like to add some much needed security in terms of authentication.

One testcase im having problems with is Biztalk 2013 with MQSC-Adapter.
When i configure the MQSC adapter to use userid and password, for some reason it doesnt use the settings I configure and fallbacks to the Service account used by the Biztalk installation. Its displayed clearly in the log on the QM.


Client is Biztalk 2013 R2 with MQSC Adapter (MQ Client 7.5)
Server is on Linux with MQ 8.0.0.2 installed

Does anyone have any experience with similar biztalk/windows problems?
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Feb 07, 2016 5:13 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

What is displayed clearly in the MQ error log?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
mgrx
PostPosted: Sun Feb 07, 2016 6:30 am    Post subject: Reply with quote

Novice

Joined: 01 Oct 2015
Posts: 20

bruce2359 wrote:
What is displayed clearly in the MQ error log?


Sorry, that the CHCKCLNT user is the window service user, and not the user id configured in the MQSC adapter in biztalk.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Feb 07, 2016 7:25 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Please post the complete error message.

also, please post your CHKAUTH rules.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
mgrx
PostPosted: Sun Feb 07, 2016 1:55 pm    Post subject: Reply with quote

Novice

Joined: 01 Oct 2015
Posts: 20

Quote:

AMQ9777: Channel was blocked
.
EXPLANATION:
The inbound channel QM.CUSTOMER.CONN' was blocked from address
'hostname1 (10.0.0.5)' because the active values of the channel matched a record configured with USERSRC(NOACCESS). The active values of
the channel were 'CLNTUSER(biztalkadmin) ADDRESS(hostname1)'.


In my Biztalk MQSC adapter the userid is set to a userid that exists on the QM, but it seems like the client does not send that userid and sends biztalkadmin instead. I don't have that much experience with biztalk, and maybe its not even possible?
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Feb 07, 2016 2:10 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Read the error carefully. Notice the NOACCESS.

Create a CHLAUTH rule that grants USERSRC(CHANNEL).
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
mgrx
PostPosted: Sun Feb 07, 2016 2:19 pm    Post subject: Reply with quote

Novice

Joined: 01 Oct 2015
Posts: 20

bruce2359 wrote:
Read the error carefully. Notice the NOACCESS.

Create a CHLAUTH rule that grants USERSRC(CHANNEL).


Yes of course it works when I do that, but the problem still applies. The Client does not send the correct userid, I have CHCKCLNT(OPTIONAL) on QMGR and as I recall the clients gets through because it actually send a blank username and password.

I want the client to send the userid and password that I specifiy
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Feb 08, 2016 6:07 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

The biztalk adapter code would have had to be modified to supply the right userid/password in the right part of the MQ connection objects.

It's normal for a C-based client that doesn't do that to only authenticate as the user the client is running under.

So the adapter doesn't do what the configuration suggests it should. Perhaps a newer version of the adapter.

Or an MQV8 client.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
mgrx
PostPosted: Mon Feb 08, 2016 6:13 am    Post subject: Reply with quote

Novice

Joined: 01 Oct 2015
Posts: 20

mqjeff wrote:
The biztalk adapter code would have had to be modified to supply the right userid/password in the right part of the MQ connection objects.

It's normal for a C-based client that doesn't do that to only authenticate as the user the client is running under.

So the adapter doesn't do what the configuration suggests it should. Perhaps a newer version of the adapter.

Or an MQV8 client.


Yeah, ill make a service request about this. Ill share the soulution here aswell when I get the response. Last time I checked MQ8 client was not supported by the lastest Biztalk =/
Back to top
View user's profile Send private message
smdavies99
PostPosted: Mon Feb 08, 2016 6:29 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

mgrx wrote:
. Last time I checked MQ8 client was not supported by the lastest Biztalk =/


MS are always rather laggard about supporting anything but MSMQ which is really a toy when it comes to proper Queing Systems (IMHO)
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Feb 08, 2016 6:31 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

mgrx wrote:
I want the client to send the userid and password that I specifiy


You might (if you've not already) try cross-posting in a BizTalk forum.

This sounds more like a problem with BizTalk than MQ.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Feb 08, 2016 6:37 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Vitor wrote:
This sounds more like a problem with BizTalk than MQ.

Heaven forfend that Mightysoft are behind the drag curve...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Feb 08, 2016 7:42 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Has anybody thought about implementing the standard MQ8 security exit (mqccred) for this scenario?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Tue Feb 09, 2016 6:23 pm    Post subject: Re: Biztalk MQSC authentication Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

mgrx wrote:
I am migrating our MQ Gateway QM from version 7.0 to version 8 and in the process I would like to add some much needed security in terms of authentication.

One testcase im having problems with is Biztalk 2013 with MQSC-Adapter.
When i configure the MQSC adapter to use userid and password, for some reason it doesnt use the settings I configure and fallbacks to the Service account used by the Biztalk installation. Its displayed clearly in the log on the QM.


I am reading your question to mean that you are trying to use the new MQ V8 feature of user ID and password checking. You have upgraded your queue manager from V7.0 to V8.0 so this setup will not be enabled by default. Please check what is in your QMGR CONNAUTH field. If it is blank you need to enable the feature.

Secondly, you report being caught out by the CHLAUTH rule that reports the client side user ID as being the one that isn't the user ID and password provided one you hoped for.

Please ensure that your CONNAUTH settings are changed to ADOPTCTX(YES) to ensure that the user ID flowed with the password is adopted as the client's user ID. ADOPTCTX(NO) means that it would continue to use the client user ID and not the one sent with the password.

Since I don't know anything about BizSpark, all this assumes that BizSpark MQSC adapter is using the MQCSP as it's method to send the user ID and password.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
mqjeff
PostPosted: Wed Feb 10, 2016 6:20 am    Post subject: Re: Biztalk MQSC authentication Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

hughson wrote:
Since I don't know anything about BizSpark, all this assumes that BizSpark MQSC adapter is using the MQCSP as it's method to send the user ID and password.


We were told that the userid being presetend was the userid running the windows process.

This strongly suggests to me that the adapter is not using the MQCSP structure.

Since, as you very well know, the default behavior of a C client is to do exactly that.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » Biztalk MQSC authentication
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.