ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Relevance of MCAUSER field

Post new topic  Reply to topic Goto page 1, 2  Next
 Relevance of MCAUSER field « View previous topic :: View next topic » 
Author Message
Bichu
PostPosted: Thu Jul 28, 2016 3:27 am    Post subject: Relevance of MCAUSER field Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 124
Location: London

Hi Guys,

I am looking on CHLAUTH tutorials to create a channel authentication on the MQ channels running on MQ V7.5. I would like an ip address to access my application.
For that, i have created a channel authentication record like below.
SET CHLAUTH(‘myChannel’) TYPE(ADDRESSMAP) ADDRESS(‘ipaddress’) USERSRC(MAP) MCAUSER(‘appuser’) ACTION(ADD)

Here, I can see the MCAUSER is mandatory when USERSRC is used. But I wonder what extra protection it is offering to my QM and channels since I already filter the ip address.

Could you please share your thoughts on this?
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Jul 28, 2016 4:36 am    Post subject: Re: Relevance of MCAUSER field Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Bichu wrote:
Could you please share your thoughts on this?


It's forcing the connection to a specific user which you can add specific permissions to, rather than saying "if you come from this IP address you can be whoever you want to be".

Given how easy it is to spoof an IP address, this means that an intruder can only impersonate a single application.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Bichu
PostPosted: Thu Jul 28, 2016 5:40 am    Post subject: Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 124
Location: London

Thanks Vitor.

This means that once we assigned a MCAUSER id, we need to set privileges to that user id?

If so, is it done via Linux commands or mqsc commands
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Jul 28, 2016 6:17 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Bichu wrote:
This means that once we assigned a MCAUSER id, we need to set privileges to that user id?


The MCAUser, set either by the channel or by a channel authority rule, becomes the user that is used by the queue manager for all permission checks. I refer you to Morag's quite excellent documentation for full details of how this works for auth rules, and how the rules are applied.

Bichu wrote:
If so, is it done via Linux commands or mqsc commands


All MQ permissions are set with the setmqaut command. That's true if the user is applied via an MCAUser (either method) or is flowed directly from the calling client. There's no difference between them, the only difference is that an MCAUser (if applied) replaces the user id flowed from the client. Once you've reached the queue manager, it doesn't matter how you ended up with that user id, that user id is the one that's checked.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jul 28, 2016 6:49 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Vitor wrote:
All MQ permissions are set with the setmqaut command...

Time to pick a nit - SET AUTHREC does it too, since MQ V7.5
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Jul 28, 2016 6:52 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

exerk wrote:
Vitor wrote:
All MQ permissions are set with the setmqaut command...

Time to pick a nit - SET AUTHREC does it too, since MQ V7.5




Quite right, and the OP clearly indicated that level.

My bad.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Bichu
PostPosted: Thu Jul 28, 2016 7:13 am    Post subject: Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 124
Location: London

Thanks all.

Just want to confirm the below point.

Before creating a channel auth mapping an ip address to a userid, say 'junk', junk should be created in the server and should use setauthrec or setmqaut commands to set the appropriate permissions to it.

Am I right in the above point.


If so, I have found from Morags blog that in a Unix Queue Manager, a group name should be used instead of the individual user name, which is explained in the below red book.

http://www.redbooks.ibm.com/redpieces/abstracts/sg248069.html

And I am using a Unix server.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jul 28, 2016 7:19 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Bichu wrote:
...If so, I have found from Morags blog that in a Unix Queue Manager, a group name should be used instead of the individual user name...

Best practice, as far as I am concerned, is that a group name should always be used, even on Windows. Create a group applicable to the user, assign the user to it, then set the authorities for the group.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Bichu
PostPosted: Thu Jul 28, 2016 7:38 am    Post subject: Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 124
Location: London

Thanks.

I'm still going through lots of channel auth stuffs and is getting mad.

1. Should I create a new group(say,rubbishGroup) and a new id(junk) and assign rubbishGroup proper privileges in Linux and then assign junk as the MCAUSER value

OR

2. Should I specify an invalid value for MCAUSER
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jul 28, 2016 7:46 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Bichu wrote:
1. Should I create a new group(say,rubbishGroup) and a new id(junk) and assign rubbishGroup proper privileges in Linux and then assign junk as the MCAUSER value

Yes, that's one way of doing it - except that you won't be assigning Linux-based privileges, you'll be assigning MQ Object-based privileges...

Bichu wrote:
2. Should I specify an invalid value for MCAUSER

...and think through the logic of what will happen if you do.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Bichu
PostPosted: Thu Jul 28, 2016 7:56 am    Post subject: Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 124
Location: London

Thanks exerk. I got my channel will be useless if I specify an invalid value since no one will be authorised. I will go with the other approach.

I have a system where I can see channel auth defined with a mcauser value of junk but not able to see junk defined in any groups and am still wondering how it works. I tried dspmquat command as well. That's where I ran into this confusion.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Jul 28, 2016 8:22 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Bichu wrote:
I have a system where I can see channel auth defined with a mcauser value of junk but not able to see junk defined in any groups and am still wondering how it works.


That's a common dodge used by MQ admins on SYSTEM channels when they don't want anyone to use them. Forcing the id to junk (or more commonly nobody) means that anyone attempting to use the channel will have no permissions on the queue manager.

More important before v7.5 when you couldn't use ip blocking without an exit.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jul 28, 2016 10:17 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Vitor wrote:
That's a common dodge used by MQ admins on SYSTEM channels when they don't want anyone to use them. Forcing the id to junk (or more commonly nobody) means that anyone attempting to use the channel will have no permissions on the queue manager...

Commonly seen but not something I like. My preference, and again I stress it is a personal one, is to use a value that cannot possibly exist on the system (or within LDAP/AD/RACF) as MQ seems to read it as a string value to pass to the relevant authority mechanism. For example:

MCAUSER('null user')
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jul 28, 2016 2:40 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

A common invalid string I've seen, possibly suggested by someone on here is "no#body".
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
mqjeff
PostPosted: Tue Aug 02, 2016 5:23 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Sometimes I use "MoragWasHere"... or other similar values.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » Relevance of MCAUSER field
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.