ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General Discussion » CHANNEL AUTHENTICATION summarized

Post new topic  Reply to topic
 CHANNEL AUTHENTICATION summarized « View previous topic :: View next topic » 
Author Message
Mangesh1187
PostPosted: Wed Jul 20, 2016 1:29 am    Post subject: CHANNEL AUTHENTICATION summarized Reply with quote

Centurion

Joined: 23 Mar 2013
Posts: 116

Gone through several docs ,posts about the CHLAUTH in MQ, I was trying to summarize the overall steps to define it.

Following are the steps you can consider one-by-one while creating the channel authentication rules :
1. Decide the name of channel or channel pattern to which rule should be applied to. Can use wildcard also.
Syntax : SET SET CHLAUTH('CHANNEL1') , SET CHLAUTH('CHANNEL*')

2. Choose whether to allow or blcok the inbound connections.
If you chooese to allow then decide you want to use the userd id flowing with channel to use for further autherization in MQ or to map to Fixed User ID.
Syntax (If Allow & map the userid ): USERSRC (MAP) MCAUSER('usr1) { usr1 is the userid that will be mapped to the flowing user id of channel
(If Allow & use channel user id ): USERSRC (CHANNEL)

If decided to block , decide if you want to block it in WARN mode or not.
If run in WARN mode, the rule will only throw a warning & won't actually block the inbound connection.
Syntax : USERSRC(NOACCESS) WARN(YES/NO) { Default WARN(NO)

3. Decide depending on which identity of the inbound connection , you wanna ALLOW or BLOCK it. Below are the possiilities:
(a) SSL/TLS : TYPE(SSLPEERMAP) SSLPEER('Dn-Names') ADDRESS('Ip Address') { ADDRESS is optional
Distinguished Names can be CN,L etc and can use wild card.

(b) Client App user Id: TYPE(SSLPEERMAP) CLNTUSER('user1') ADDRESS('Ip Address') { ADDRESS is optional
Block/Allow if client application is running with id 'user1'

(c) Remote QM Name : TYPE(QMGRMAP) QMNAME('QM_Name') ADDRESS('Ip Address') { ADDRESS is optional
Block/Allow the inbound connection if its coming from remote QM whoes name matches with QM_Name.

(d) IP address : TYPE(ADDRESSMAP) ADDRESS('Ip_Address')
Block/Allow the inbound connection is coming from Ip addresses which matches with pattern Ip_Address.

4. Espcial scenario with BLOCK.
(a) Using IP address: SET CHLAUTH('*') TYPE(BLOCKADDR) ADDRLIST('IPAddr1','IPAddr1','IPAddr1')
Use this if this rule is to be used by the listener to match the inbound connections before the channel name is known.
(b) Using Final assigned user ID : TYPE(BLOCKUSER) USERLIST('usr1','usr2','usr3')
Use this option if you want this rule to match the user ID ultimately assigned to the inbound connection either by other rules or security exit.
It can be user id flowing with channel, can be asseinged by other app.

A special user id *MQADMIN can be used for the previleged users.



Am I correct saying above or missed anything to point it out? Any thoughts.......
Back to top
View user's profile Send private message
smdavies99
PostPosted: Wed Jul 20, 2016 1:56 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

What version of MS are you using? It does make a difference.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
Mangesh1187
PostPosted: Wed Jul 20, 2016 2:05 am    Post subject: Reply with quote

Centurion

Joined: 23 Mar 2013
Posts: 116

smdavies99 wrote:
What version of MS are you using? It does make a difference.


Its MQ 7.5.0.3
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Jul 20, 2016 2:30 am    Post subject: Re: CHANNEL AUTHENTICATION summarized Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Mangesh1187 wrote:
2. Choose whether to allow or blcok the inbound connections.

On this point I would say this:-

Only make one blocking rule - the backstop rule. All your other rules should be allow rules that over-ride the backstop rule. No doubt you've already read about the backstop rule in your research?

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
hughson
PostPosted: Wed Jul 20, 2016 2:32 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

smdavies99 wrote:
What version of MS are you using?

Has someone switched your 'Q' and 'S' keys around on the keyboard? I noticed you calling it 'MS' in another post as well
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
smdavies99
PostPosted: Wed Jul 20, 2016 2:40 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

hughson wrote:
smdavies99 wrote:
What version of MS are you using?

Has someone switched your 'Q' and 'S' keys around on the keyboard? I noticed you calling it 'MS' in another post as well


Opps. Sorry Morag. I'll try to get my fingers to walk to the right keys in future.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
Mangesh1187
PostPosted: Thu Jul 21, 2016 2:40 am    Post subject: Reply with quote

Centurion

Joined: 23 Mar 2013
Posts: 116

hughson wrote:


Mangesh1187 wrote:

2. Choose whether to allow or blcok the inbound connections.

On this point I would say this:-

Only make one blocking rule - the backstop rule. All your other rules should be allow rules that over-ride the backstop rule. No doubt you've already read about the backstop rule in your research?


Thanks Morag. Yes I did looked into your valuable post about backstop rule.
The more I dig into understanding the CHLAUTH implmentation , I found its getting more interesting.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General Discussion » CHANNEL AUTHENTICATION summarized
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.