ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportCHLAUTH question

Post new topicReply to topic
CHLAUTH question View previous topic :: View next topic
Author Message
paulau
PostPosted: Wed May 02, 2018 2:12 am Post subject: CHLAUTH question Reply with quote

Novice

Joined: 06 Feb 2017
Posts: 10

Hi,
We have 2000 desktop users that send messages with their login ID in MDMD.Useridentifier. The MQMD.Useridentifier is used to authorise the transactions on CICS.
There is no central LDAP capability. Is there a CHLAUTH feature that would allow us to authorise using a local MQ user mapped from the supplied PKI certificate?
The USERSOURCE option we have tried updates the MQMD.UserIdentifier to the same value as the mapping result. Is there an ADOPTCTX feature like the one for AUTHINFO that would let us authorise with one user wile leaving the MQMD.Useridentifier set to the desktop CLNTUSER value?

Regards
Paul
Back to top
View user's profile Send private message
Mangesh1187
PostPosted: Wed May 09, 2018 8:42 am Post subject: Reply with quote

Centurion

Joined: 23 Mar 2013
Posts: 115

Presuming:
1) All the 2000 desktop users are using the same server-con channel OR multiple channels with the fixed pattern.

2) All the 2000 desktop users want same level of authorizations on MQ objects.

3) MQ server is on UNIX/WIN/LINUX with 7.5 or greater version.
(In your query you mentioned CICS and I don't know how chlauth works in CICS MQ)

Requirement :
To map the several SSL cert CN name to the single user on MQ server for further authorizations.

I hope below works:

SET CHLAUTH(channel_Name_Pattern) TYPE(SSLPEERMAP) SSLPEER('CN=*') USERSRC(MAP) MCAUSER('userName') ACTION(ADD)
Back to top
View user's profile Send private message
paulau
PostPosted: Wed Aug 15, 2018 9:01 pm Post subject: Reply with quote

Novice

Joined: 06 Feb 2017
Posts: 10

Hi Mangesh,

I tried a rule like that but it changes the mqmd.userid and that means that the transaction will be run on z/OS in CICS under the changed userid. We need the clients id to flow thought to z/OS and it seems like this isnt possible with the current CHLAUTh setup.

Paul
Back to top
View user's profile Send private message
belchman
PostPosted: Thu Aug 16, 2018 5:52 am Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 317
Location: Ohio, USA

Read the channel authentication records section of this

https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.sec.doc/q010000_.htm
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Aug 16, 2018 5:57 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25173
Location: Ohio, USA

paulau wrote:
I tried a rule like that but it changes the mqmd.userid and that means that the transaction will be run on z/OS in CICS under the changed userid. We need the clients id to flow thought to z/OS and it seems like this isnt possible with the current CHLAUTh setup.


You could try setting the SSL on the client connection, so that only a client with the correct certificate could connect, making the user id supplied irrelevant.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportCHLAUTH question
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.