ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportLDAP Auth failed with MCA User (AMQ9557)

Post new topicReply to topic
LDAP Auth failed with MCA User (AMQ9557) View previous topic :: View next topic
Author Message
jdeleglise
PostPosted: Fri Aug 17, 2018 3:58 am Post subject: LDAP Auth failed with MCA User (AMQ9557) Reply with quote

Newbie

Joined: 17 Aug 2018
Posts: 7

Hello,

I am currently implementing security for a client, and we decided to use LDAP. The security itself is not an issue, I've managed to connect to the LDAP, and to configure an Admin user : svc_dev_esb.

Now, in order to have a plan for applications which could not provide a user / password, I discussed a potential solution with an MQ Trainer (during the learnquest IBM Cluster training). He proposed to use the CHLAUTH MAP in order to define a default user for a specific channel, so I did the following :

Code:
SET CHLAUTH(NO.LDAP.USER.TEST) TYPE(ADDRESSMAP) ACTION(REPLACE) ADDRESS(<MyIpAddress>) MCAUSER('svc_dev_esb')


This user have the +all right for everything. Of course it is just a test, I won't put an admin user there in the future.
When I try to connect (via MQ Explorer) to this QM via this channel, I have the following error

Code:
  Access not permitted. You are not authorized to perform this operation. (AMQ4036)
  Severity: 10 (Warning)
  Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.


And in my log file, I have the following :

Code:
08/17/2018 01:29:19 PM - Process(6179.42) User(integra) Program(amqzlaa0)
                    Host(*********) Installation(Installation1)
                    VRMF(8.0.0.7) QMgr(LDAP_AUTH_POC_SWIFT)

AMQ5540: Application 'MQ Explorer 8.0.0' did not supply a user ID and password

EXPLANATION:
The queue manager is configured to require a user ID and password, but none was
supplied.
ACTION:
Ensure that the application provides a valid user ID and password, or change
the queue manager configuration to OPTIONAL to allow applications to connect
which have not supplied a user ID and password.
----- amqzfuca.c : 4716 -------------------------------------------------------
08/17/2018 01:29:20 PM - Process(8229.7) User(integra) Program(amqrmppa)
                    Host(*********) Installation(Installation1)
                    VRMF(8.0.0.7) QMgr(LDAP_AUTH_POC_SWIFT)

AMQ9557: Queue Manager User ID initialization failed for 'svc_dev_esb'.

EXPLANATION:
The call to initialize the User ID 'svc_dev_esb' failed with CompCode 2 and
Reason 2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
ACTION:
Correct the error and try again.



It seems it correctly mapped the user, but it consider the user as unauthorized, which should not be an issue at all. After investigation, if I fill the authentication fields on MQExplorer with the exact same user, it works.

The trainer advised me to go ask this question here in case of trouble, so if you have any idea about this issue, I would be glad to try your solutions.

Thanks in advance,
Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri Aug 17, 2018 5:19 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8192
Location: US: west coast, almost. Otherwise, enroute.

Other than post here, what have you tried?

For example, did you DISPLAY CHLAUTH() MATCH(RUNCHECK) command? What were the results?
_________________
I would tell you a UDP joke, but you might not get it.
Back to top
View user's profile Send private message
jdeleglise
PostPosted: Fri Aug 17, 2018 7:11 am Post subject: Reply with quote

Newbie

Joined: 17 Aug 2018
Posts: 7

I tried to look about this specific case in the MQ documentation, but unhopefully I couldn't find much about the MCA User for LDAP configuration, and especially how to bypass a missing user via CHLAUT and MAP rules.

I read multiple article today about the MQ Security (Mostly the ones from T-Rob and Morag Hughson), but I couldn't find anything related.

I did many check I found in the documentation (e.g : check if the chlauth is enabled), but so far I didn't try a RUNCHECK, and I got the following :

Code:
DISPLAY CHLAUTH(NO.LDAP.USER.TEST) MATCH(RUNCHECK) ALL ADDRESS(<myIp>) CLNTUSER('deleglis')
AMQ8878: Display channel authentication record details.
   CHLAUTH(NO.LDAP.USER.TEST)              TYPE(ADDRESSMAP)
   DESCR( )                                CUSTOM( )
   ADDRESS(<myIp>)                    MCAUSER(svc_dev_esb)
   USERSRC(MAP)                            CHCKCLNT(ASQMGR)
   ALTDATE(2018-08-17)                     ALTTIME(13.29.03)


I'm mostly asking my question here because even the trainer was not sure if it would be possible, and apparently my first tests are not going well.

So I general my question here could be summarized this way :

Is it possible to setup a security configuration with mandatory users and passwords*, BUT with exception for a specific application** and to assign a specific user for it ?
If yes, do you have any leads, documentations, samples or anything to help me ?

*CHCKCLNT(REQUIRED), with AUTHTYPE(IDPWLDAP)
**(user Id, SSL peer, IP address, I don't have any preference)
Back to top
View user's profile Send private message
jdeleglise
PostPosted: Tue Aug 21, 2018 5:39 am Post subject: Reply with quote

Newbie

Joined: 17 Aug 2018
Posts: 7

Hello,

I kept digging about this topic, and I focused on one part of the error message

Code:
If an MQCSP block was used, the User ID in the MQCSP block was ''.


After a few researches, it looks like the CHLAUTH rules cannot be useful for my case, since the QM will check the content of the MQCSP block in any case.

A potential solution described in IBM documentation is the Identity Mapping in the Message Exit (https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.sec.doc/q013330_.htm)

I would like any opinion about this potential solution. The trainer explained that Message Exit was an "old" functionality, and that we would probably never see or need any. Is it a good idea to go further in that direction, or do you see any other solution for this case ?
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Aug 21, 2018 7:16 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25318
Location: Ohio, USA

jdeleglise wrote:
I would like any opinion about this potential solution. The trainer explained that Message Exit was an "old" functionality, and that we would probably never see or need any. Is it a good idea to go further in that direction, or do you see any other solution for this case ?


I'm kinda with your trainer on this one. Through my long and inglorious MQ career, I've always held then view that if the answer is an exit you're asking the wrong question. You'll find ample discussion in this forum on the perils of exits for the simple reason they're perilous.

So to be clear, you are authenticating users against your LDAP system but if the user can't be authenticated (because the application can't supply credentials) AND they're using a specific application which you know is one of the ones that can't supply credentials, you want to apply a given default user?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Aug 21, 2018 7:44 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5958

I expect Roger along any minute now...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Aug 21, 2018 7:58 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25318
Location: Ohio, USA

exerk wrote:
I expect Roger along any minute now...


Surprised not to have heard from him already
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Tue Aug 21, 2018 9:55 am Post subject: Reply with quote

Jedi Council

Joined: 15 May 2001
Posts: 7466

You are using MQ 8.0.0.7.

Oh boy, we had so many issues with trying to go from 8.0.0.6 (stable) to 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10.

Finally with an iFix 8.0.0.10 worked when you had channels with an Exit and CHLAUTH rules.

I can't prove, but I think the following TechNote was a result of our PMRs on this.

https://www-01.ibm.com/support/docview.wss?uid=ibm10725873&myns=swgws&mynp=OCSSFKSJ&mync=E&cm_sp=swgws-_-OCSSFKSJ-_-E
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
jdeleglise
PostPosted: Tue Aug 21, 2018 10:11 pm Post subject: Reply with quote

Newbie

Joined: 17 Aug 2018
Posts: 7

Thanks for the answer everyone.

@Vitor : Indeed, this is exactly my situation.

I will try with a more recent version, but we already have a custom fix for our 8.0.0.7 mq, mandatory for our system (but in this test case, it won't be important at all).
Back to top
View user's profile Send private message
jdeleglise
PostPosted: Wed Aug 22, 2018 4:06 am Post subject: Reply with quote

Newbie

Joined: 17 Aug 2018
Posts: 7

I just checked a bit about the MQ releases and tried to use a non-admin user in the CHLAUTH rules, but I didn't help.

@PeterPotkay : for the fix you mentioned, I guess it is : https://www-01.ibm.com/support/docview.wss?uid=swg1IT25591 ?

I will try my cases with this version to start clean.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Aug 22, 2018 4:39 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25318
Location: Ohio, USA

jdeleglise wrote:
@Vitor : Indeed, this is exactly my situation.


To paraphrase a cartoon robot:

You're boned.

I'm not aware of any methodology that allows you to specify that you're authenticating users against LDAP with a user id/password combination but if someone fails authentication because they supplied blank credentials they're allowed to use a default id if they came in on the right connection.

If you just read it out, it does sound like a security hole. I can visualize your situation and understand that it's legitimate, but explaining this to your security people may cause a variety of interesting facial expressions.

This is a job for Roger.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
jdeleglise
PostPosted: Wed Aug 22, 2018 5:07 am Post subject: Reply with quote

Newbie

Joined: 17 Aug 2018
Posts: 7

Thanks for the answer, even if it is not really what I wanted to ear.

I totally understand the "security hole" it is, but the current situation is the following : there is no security at all except the IP filtering rules defined on our OS (note : this MQ is only use internally, it is impossible to access it from the outside)

The goal of our current project is to fully configure the security, and LDAP is our preferred way to do it, but I already know some applications won't be able to provide credentials at the beginning. On the long term, they will probably do it, so I could already put in place the whole security configuration for LDAP but instead of REQUIRED, I could set it to OPTIONAL and switch once all the applications provide credentials. But I would have preferred to authenticate users based on their certificates or IP in the meantime instead of leaving it open to anyone with the OPTIONAL param. In order to maintain a certain security level, it means I will have to keep the existing IP Table rules, and this was one of the thing I wanted to get rid off.

Since there is obviously some experts here, do you have any alternatives to what I just described, or someone that already had to handle a similar case?
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Aug 22, 2018 5:16 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5958

Would the mqccred exit be of use to you?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
jdeleglise
PostPosted: Wed Aug 22, 2018 9:35 pm Post subject: Reply with quote

Newbie

Joined: 17 Aug 2018
Posts: 7

Hello exerk,

It might indeed be a potential solution, thanks for the tip.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportLDAP Auth failed with MCA User (AMQ9557)
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.