ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Chlauth qmgrmap vs addressmap

Post new topic  Reply to topic
 Chlauth qmgrmap vs addressmap « View previous topic :: View next topic » 
Author Message
MQMB&WAS
PostPosted: Tue Apr 21, 2020 10:34 am    Post subject: Chlauth qmgrmap vs addressmap Reply with quote

Centurion

Joined: 12 Jun 2016
Posts: 130

Hello experts

Could someone please explain what’s the difference between qmgrmap and addressmap in chlauth types?

I looked online but the info is very confusing.

To allow a sender channel coming from qmgr with certain IP, what type of chlauth should we use? Qmgrmap or addressmap? And what’s the difference?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Apr 22, 2020 9:03 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

The address map will not check the qmgr name.
The qmgr map may also check the originating ip.

And don't forget you'll also need a backstop rule.

Hope this helps
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
MQMB&WAS
PostPosted: Wed Apr 22, 2020 9:30 pm    Post subject: Reply with quote

Centurion

Joined: 12 Jun 2016
Posts: 130

fjb_saper wrote:
The address map will not check the qmgr name.
The qmgr map may also check the originating ip.

And don't forget you'll also need a backstop rule.

Hope this helps



To an already running channel with chlauth rule, if the sender qmgrs' IP changes, will the below rule work?

SET CHLAUTH(SDR.RCVR.CHL) TYPE(QMGRMAP) ADDRESS(NEW.IP.ADDR) QMNAME(SDR.QMNAME) MCAUSER('sender_userid') USERSRC(MAP) ACTION(ADD)

and since the chl is already running with the current IP of the sender qmgr, ,with chlauth enabled, I guess the backstop rule already exists and all I need to do is add the above rule to allow the new IP ?

Thanks for your time.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Apr 23, 2020 10:25 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

MQMB&WAS wrote:

To an already running channel with chlauth rule, if the sender qmgrs' IP changes, will the below rule work?

SET CHLAUTH(SDR.RCVR.CHL) TYPE(QMGRMAP) ADDRESS(NEW.IP.ADDR) QMNAME(SDR.QMNAME) MCAUSER('sender_userid') USERSRC(MAP) ACTION(ADD)

That should work for when the channel restarts with the new sender ip.

MQMB&WAS wrote:

and since the chl is already running with the current IP of the sender qmgr, ,with chlauth enabled, I guess the backstop rule already exists and all I need to do is add the above rule to allow the new IP ?

You can't really make that conclusion. If the backstop rule is missing you can create the permission granting rule, but you don't really need it a nothing is going to block a connection from happening.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
MQMB&WAS
PostPosted: Wed May 13, 2020 4:45 am    Post subject: Reply with quote

Centurion

Joined: 12 Jun 2016
Posts: 130

fjb_saper wrote:

You can't really make that conclusion. If the backstop rule is missing you can create the permission granting rule, but you don't really need it a nothing is going to block a connection from happening.


Got you.

Another query.

When a chl has chlauth rules with with both sslpeermap and qmgrmap/addressmap, which one takes precedence and which one is ignored?

Appreciate your time.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed May 13, 2020 5:12 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

MQMB&WAS wrote:
fjb_saper wrote:

You can't really make that conclusion. If the backstop rule is missing you can create the permission granting rule, but you don't really need it a nothing is going to block a connection from happening.


Got you.

Another query.

When a chl has chlauth rules with with both sslpeermap and qmgrmap/addressmap, which one takes precedence and which one is ignored?

Appreciate your time.

I would expect that to be
  1. sslpeermap
  2. qmgrmap
  3. addressmap

But I am sure you can find the exact order of precedence in the infocenter
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Wed May 13, 2020 9:06 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

fjb_saper wrote:
But I am sure you can find the exact order of precedence in the infocenter

Indeed. In Channel authentication records > Interaction between channel authentication records:-
IBM Knowledge Center wrote:
The channel authentication record used is selected as follows:
  • A channel authentication record explicitly matching the channel name takes priority over a channel authentication record matching the channel name by using a wildcard.
  • A channel authentication record using an SSL or TLS DN takes priority over a record using a user ID, queue manager name, or IP address.
  • A channel authentication record using a user ID or queue manager name takes priority over a record using an IP address.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Chlauth qmgrmap vs addressmap
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.