| Author |
Message
|
| jdeleglise |
 Posted: Fri Aug 17, 2018 3:58 am Post subject: LDAP Auth failed with MCA User (AMQ9557) |
 |
|
Newbie
Joined: 17 Aug 2018
Posts: 7
|
Hello,
I am currently implementing security for a client, and we decided to use LDAP. The security itself is not an issue, I've managed to connect to the LDAP, and to configure an Admin user : svc_dev_esb.
Now, in order to have a plan for applications which could not provide a user / password, I discussed a potential solution with an MQ Trainer (during the learnquest IBM Cluster training). He proposed to use the CHLAUTH MAP in order to define a default user for a specific channel, so I did the following :
| Code: |
| SET CHLAUTH(NO.LDAP.USER.TEST) TYPE(ADDRESSMAP) ACTION(REPLACE) ADDRESS(<MyIpAddress>) MCAUSER('svc_dev_esb') |
This user have the +all right for everything. Of course it is just a test, I won't put an admin user there in the future.
When I try to connect (via MQ Explorer) to this QM via this channel, I have the following error
| Code: |
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity: 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object. |
And in my log file, I have the following :
| Code: |
08/17/2018 01:29:19 PM - Process(6179.42) User(integra) Program(amqzlaa0)
Host(*********) Installation(Installation1)
VRMF(8.0.0.7) QMgr(LDAP_AUTH_POC_SWIFT)
AMQ5540: Application 'MQ Explorer 8.0.0' did not supply a user ID and password
EXPLANATION:
The queue manager is configured to require a user ID and password, but none was
supplied.
ACTION:
Ensure that the application provides a valid user ID and password, or change
the queue manager configuration to OPTIONAL to allow applications to connect
which have not supplied a user ID and password.
----- amqzfuca.c : 4716 -------------------------------------------------------
08/17/2018 01:29:20 PM - Process(8229.7) User(integra) Program(amqrmppa)
Host(*********) Installation(Installation1)
VRMF(8.0.0.7) QMgr(LDAP_AUTH_POC_SWIFT)
AMQ9557: Queue Manager User ID initialization failed for 'svc_dev_esb'.
EXPLANATION:
The call to initialize the User ID 'svc_dev_esb' failed with CompCode 2 and
Reason 2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
ACTION:
Correct the error and try again. |
It seems it correctly mapped the user, but it consider the user as unauthorized, which should not be an issue at all. After investigation, if I fill the authentication fields on MQExplorer with the exact same user, it works.
The trainer advised me to go ask this question here in case of trouble, so if you have any idea about this issue, I would be glad to try your solutions.
Thanks in advance, |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Fri Aug 17, 2018 5:19 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9470
Location: US: west coast, almost. Otherwise, enroute.
|
Other than post here, what have you tried?
For example, did you DISPLAY CHLAUTH() MATCH(RUNCHECK) command? What were the results?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| jdeleglise |
| Posted: Fri Aug 17, 2018 7:11 am Post subject: |
|
|
Newbie
Joined: 17 Aug 2018
Posts: 7
|
I tried to look about this specific case in the MQ documentation, but unhopefully I couldn't find much about the MCA User for LDAP configuration, and especially how to bypass a missing user via CHLAUT and MAP rules.
I read multiple article today about the MQ Security (Mostly the ones from T-Rob and Morag Hughson), but I couldn't find anything related.
I did many check I found in the documentation (e.g : check if the chlauth is enabled), but so far I didn't try a RUNCHECK, and I got the following :
| Code: |
DISPLAY CHLAUTH(NO.LDAP.USER.TEST) MATCH(RUNCHECK) ALL ADDRESS(<myIp>) CLNTUSER('deleglis')
AMQ8878: Display channel authentication record details.
CHLAUTH(NO.LDAP.USER.TEST) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(<myIp>) MCAUSER(svc_dev_esb)
USERSRC(MAP) CHCKCLNT(ASQMGR)
ALTDATE(2018-08-17) ALTTIME(13.29.03)
|
I'm mostly asking my question here because even the trainer was not sure if it would be possible, and apparently my first tests are not going well.
So I general my question here could be summarized this way :
Is it possible to setup a security configuration with mandatory users and passwords*, BUT with exception for a specific application** and to assign a specific user for it ?
If yes, do you have any leads, documentations, samples or anything to help me ?
*CHCKCLNT(REQUIRED), with AUTHTYPE(IDPWLDAP)
**(user Id, SSL peer, IP address, I don't have any preference) |
|
| Back to top |
|
|
| jdeleglise |
| Posted: Tue Aug 21, 2018 5:39 am Post subject: |
|
|
Newbie
Joined: 17 Aug 2018
Posts: 7
|
Hello,
I kept digging about this topic, and I focused on one part of the error message
| Code: |
| If an MQCSP block was used, the User ID in the MQCSP block was ''. |
After a few researches, it looks like the CHLAUTH rules cannot be useful for my case, since the QM will check the content of the MQCSP block in any case.
A potential solution described in IBM documentation is the Identity Mapping in the Message Exit (https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.sec.doc/q013330_.htm)
I would like any opinion about this potential solution. The trainer explained that Message Exit was an "old" functionality, and that we would probably never see or need any. Is it a good idea to go further in that direction, or do you see any other solution for this case ? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Aug 21, 2018 7:16 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| jdeleglise wrote: |
| I would like any opinion about this potential solution. The trainer explained that Message Exit was an "old" functionality, and that we would probably never see or need any. Is it a good idea to go further in that direction, or do you see any other solution for this case ? |
I'm kinda with your trainer on this one. Through my long and inglorious MQ career, I've always held then view that if the answer is an exit you're asking the wrong question. You'll find ample discussion in this forum on the perils of exits for the simple reason they're perilous.
So to be clear, you are authenticating users against your LDAP system but if the user can't be authenticated (because the application can't supply credentials) AND they're using a specific application which you know is one of the ones that can't supply credentials, you want to apply a given default user?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Aug 21, 2018 7:44 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I expect Roger along any minute now... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Aug 21, 2018 7:58 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| I expect Roger along any minute now... |
Surprised not to have heard from him already 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Aug 21, 2018 9:55 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
|
| jdeleglise |
| Posted: Tue Aug 21, 2018 10:11 pm Post subject: |
|
|
Newbie
Joined: 17 Aug 2018
Posts: 7
|
Thanks for the answer everyone.
@Vitor : Indeed, this is exactly my situation.
I will try with a more recent version, but we already have a custom fix for our 8.0.0.7 mq, mandatory for our system (but in this test case, it won't be important at all). |
|
| Back to top |
|
|
| jdeleglise |
| Posted: Wed Aug 22, 2018 4:06 am Post subject: |
|
|
Newbie
Joined: 17 Aug 2018
Posts: 7
|
I just checked a bit about the MQ releases and tried to use a non-admin user in the CHLAUTH rules, but I didn't help.
@PeterPotkay : for the fix you mentioned, I guess it is : https://www-01.ibm.com/support/docview.wss?uid=swg1IT25591 ?
I will try my cases with this version to start clean. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 22, 2018 4:39 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| jdeleglise wrote: |
| @Vitor : Indeed, this is exactly my situation. |
To paraphrase a cartoon robot:
You're boned.
I'm not aware of any methodology that allows you to specify that you're authenticating users against LDAP with a user id/password combination but if someone fails authentication because they supplied blank credentials they're allowed to use a default id if they came in on the right connection.
If you just read it out, it does sound like a security hole. I can visualize your situation and understand that it's legitimate, but explaining this to your security people may cause a variety of interesting facial expressions.
This is a job for Roger.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jdeleglise |
| Posted: Wed Aug 22, 2018 5:07 am Post subject: |
|
|
Newbie
Joined: 17 Aug 2018
Posts: 7
|
Thanks for the answer, even if it is not really what I wanted to ear.
I totally understand the "security hole" it is, but the current situation is the following : there is no security at all except the IP filtering rules defined on our OS (note : this MQ is only use internally, it is impossible to access it from the outside)
The goal of our current project is to fully configure the security, and LDAP is our preferred way to do it, but I already know some applications won't be able to provide credentials at the beginning. On the long term, they will probably do it, so I could already put in place the whole security configuration for LDAP but instead of REQUIRED, I could set it to OPTIONAL and switch once all the applications provide credentials. But I would have preferred to authenticate users based on their certificates or IP in the meantime instead of leaving it open to anyone with the OPTIONAL param. In order to maintain a certain security level, it means I will have to keep the existing IP Table rules, and this was one of the thing I wanted to get rid off.
Since there is obviously some experts here, do you have any alternatives to what I just described, or someone that already had to handle a similar case? |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Aug 22, 2018 5:16 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Would the mqccred exit be of use to you?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jdeleglise |
| Posted: Wed Aug 22, 2018 9:35 pm Post subject: |
|
|
Newbie
Joined: 17 Aug 2018
Posts: 7
|
Hello exerk,
It might indeed be a potential solution, thanks for the tip. |
|
| Back to top |
|
|
|
|
