| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Restricting IPs to connect to SVRCONN channel - MQ appliance |
« View previous topic :: View next topic » |
| Author |
Message
|
| vicks_mq |
 Posted: Tue Oct 30, 2018 11:29 am Post subject: Restricting IPs to connect to SVRCONN channel - MQ appliance |
 |
|
Disciple
Joined: 03 Oct 2017
Posts: 162
|
we are going to use MQ Appliance V9.1 and wondering if there is a way we can limit the client IP addresses from which to receive the CLIENT CONNECTIONS.
can we also segregate based on the application name/clnt connction channel.
Suppose for Client Conn#1 , we want to allow only IP#1, IP#2, IP#3
whereas for Client CONN#2, we want to allow only IP#4, IP#5 and
for Client CONN#3, we want to allow IP#7, IP#8 and so on .... |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Oct 30, 2018 12:30 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
CHLAUTH is your friend...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| vicks_mq |
| Posted: Tue Oct 30, 2018 12:44 pm Post subject: |
|
|
Disciple
Joined: 03 Oct 2017
Posts: 162
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Oct 30, 2018 1:06 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
| exerk |
| Posted: Tue Oct 30, 2018 1:38 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
As Roger has pointed out, it exists, in the VERSION of the appliance you are using, and also in the version you are not... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Oct 30, 2018 6:17 pm Post subject: Re: Restricting IPs to connect to SVRCONN channel - MQ appli |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| vicks_mq wrote: |
we are going to use MQ Appliance V9.1 and wondering if there is a way we can limit the client IP addresses from which to receive the CLIENT CONNECTIONS.
can we also segregate based on the application name/clnt connction channel.
Suppose for Client Conn#1 , we want to allow only IP#1, IP#2, IP#3
whereas for Client CONN#2, we want to allow only IP#4, IP#5 and
for Client CONN#3, we want to allow IP#7, IP#8 and so on .... |
Add a backstop rule - read https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/websphere_mq_chlauth_the_back_stop_rule
Then a selection of rules that over-ride the backstop rule, like these
| Code: |
| SET CHLAUTH(client-conn-channel-name) TYPE(ADDRESSMAP) ADDRESS(ip-address#1) USERSRC(MAP) MCAUSER(user-id) |
Decide what these connections are to be allowed to work with, which queues etc, and set up user ids with authorisation to only work with those resources, then map the connections (as shown above) to those user ids.
Once you're done with all of that, think about how spoofable ip address are in your environment, and whether you should move to TLS and digital certificates.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
