| Author |
Message
|
| Bichu |
 Posted: Thu Jul 28, 2016 3:27 am Post subject: Relevance of MCAUSER field |
 |
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
Hi Guys,
I am looking on CHLAUTH tutorials to create a channel authentication on the MQ channels running on MQ V7.5. I would like an ip address to access my application.
For that, i have created a channel authentication record like below.
SET CHLAUTH(‘myChannel’) TYPE(ADDRESSMAP) ADDRESS(‘ipaddress’) USERSRC(MAP) MCAUSER(‘appuser’) ACTION(ADD)
Here, I can see the MCAUSER is mandatory when USERSRC is used. But I wonder what extra protection it is offering to my QM and channels since I already filter the ip address.
Could you please share your thoughts on this? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Jul 28, 2016 4:36 am Post subject: Re: Relevance of MCAUSER field |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Bichu wrote: |
| Could you please share your thoughts on this? |
It's forcing the connection to a specific user which you can add specific permissions to, rather than saying "if you come from this IP address you can be whoever you want to be".
Given how easy it is to spoof an IP address, this means that an intruder can only impersonate a single application.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Bichu |
| Posted: Thu Jul 28, 2016 5:40 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
Thanks Vitor.
This means that once we assigned a MCAUSER id, we need to set privileges to that user id?
If so, is it done via Linux commands or mqsc commands |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jul 28, 2016 6:17 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Bichu wrote: |
| This means that once we assigned a MCAUSER id, we need to set privileges to that user id? |
The MCAUser, set either by the channel or by a channel authority rule, becomes the user that is used by the queue manager for all permission checks. I refer you to Morag's quite excellent documentation for full details of how this works for auth rules, and how the rules are applied.
| Bichu wrote: |
| If so, is it done via Linux commands or mqsc commands |
All MQ permissions are set with the setmqaut command. That's true if the user is applied via an MCAUser (either method) or is flowed directly from the calling client. There's no difference between them, the only difference is that an MCAUser (if applied) replaces the user id flowed from the client. Once you've reached the queue manager, it doesn't matter how you ended up with that user id, that user id is the one that's checked.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 28, 2016 6:49 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| All MQ permissions are set with the setmqaut command... |
Time to pick a nit - SET AUTHREC does it too, since MQ V7.5
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jul 28, 2016 6:52 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| Vitor wrote: |
| All MQ permissions are set with the setmqaut command... |
Time to pick a nit - SET AUTHREC does it too, since MQ V7.5 |
Quite right, and the OP clearly indicated that level.
My bad.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Bichu |
| Posted: Thu Jul 28, 2016 7:13 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
Thanks all.
Just want to confirm the below point.
Before creating a channel auth mapping an ip address to a userid, say 'junk', junk should be created in the server and should use setauthrec or setmqaut commands to set the appropriate permissions to it.
Am I right in the above point.
If so, I have found from Morags blog that in a Unix Queue Manager, a group name should be used instead of the individual user name, which is explained in the below red book.
http://www.redbooks.ibm.com/redpieces/abstracts/sg248069.html
And I am using a Unix server.  |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 28, 2016 7:19 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Bichu wrote: |
| ...If so, I have found from Morags blog that in a Unix Queue Manager, a group name should be used instead of the individual user name... |
Best practice, as far as I am concerned, is that a group name should always be used, even on Windows. Create a group applicable to the user, assign the user to it, then set the authorities for the group.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Bichu |
| Posted: Thu Jul 28, 2016 7:38 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
Thanks.
I'm still going through lots of channel auth stuffs and is getting mad.
1. Should I create a new group(say,rubbishGroup) and a new id(junk) and assign rubbishGroup proper privileges in Linux and then assign junk as the MCAUSER value
OR
2. Should I specify an invalid value for MCAUSER |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 28, 2016 7:46 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Bichu wrote: |
| 1. Should I create a new group(say,rubbishGroup) and a new id(junk) and assign rubbishGroup proper privileges in Linux and then assign junk as the MCAUSER value |
Yes, that's one way of doing it - except that you won't be assigning Linux-based privileges, you'll be assigning MQ Object-based privileges...
| Bichu wrote: |
| 2. Should I specify an invalid value for MCAUSER |
...and think through the logic of what will happen if you do.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Bichu |
| Posted: Thu Jul 28, 2016 7:56 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
Thanks exerk. I got my channel will be useless if I specify an invalid value since no one will be authorised. I will go with the other approach.
I have a system where I can see channel auth defined with a mcauser value of junk but not able to see junk defined in any groups and am still wondering how it works. I tried dspmquat command as well. That's where I ran into this confusion. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jul 28, 2016 8:22 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Bichu wrote: |
| I have a system where I can see channel auth defined with a mcauser value of junk but not able to see junk defined in any groups and am still wondering how it works. |
That's a common dodge used by MQ admins on SYSTEM channels when they don't want anyone to use them. Forcing the id to junk (or more commonly nobody) means that anyone attempting to use the channel will have no permissions on the queue manager.
More important before v7.5 when you couldn't use ip blocking without an exit.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 28, 2016 10:17 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| That's a common dodge used by MQ admins on SYSTEM channels when they don't want anyone to use them. Forcing the id to junk (or more commonly nobody) means that anyone attempting to use the channel will have no permissions on the queue manager... |
Commonly seen but not something I like. My preference, and again I stress it is a personal one, is to use a value that cannot possibly exist on the system (or within LDAP/AD/RACF) as MQ seems to read it as a string value to pass to the relevant authority mechanism. For example:
MCAUSER('null user')
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jul 28, 2016 2:40 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
A common invalid string I've seen, possibly suggested by someone on here is "no#body".
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 02, 2016 5:23 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Sometimes I use "MoragWasHere"... or other similar values.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
|
|
