ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Question on chlauth usermap

Post new topic  Reply to topic
 Question on chlauth usermap « View previous topic :: View next topic » 
Author Message
crashdog
PostPosted: Thu May 14, 2020 1:52 am    Post subject: Question on chlauth usermap Reply with quote

Voyager

Joined: 02 Apr 2017
Posts: 77

In the organization that I'm currently working for, there is a rather strange setup that I can't quite figure out how that it's supposed to work. Given is following:
Server side :MQ 9.1.0.0 LTS on RHEL 7.6
Client side : MQexplorer 9.1.0.0 (from MQ 9.1.0.0 installation)

in qm.ini:
Code:
Service:
   Name=AuthorizationService
   EntryPoints=14
ServiceComponent:
   Service=AuthorizationService
   Name=MQSeries.UNIX.auth.service
   Module=amqzfu
   ComponentDataSize=0
Channels:
   ChlauthEarlyAdopt=Y
   MaxChannels=10000
   MQIBINDTYPE=FASTPATH

authinfo is set to:
Code:
   AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
   AUTHTYPE(IDPWOS)                        ADOPTCTX(YES)
   DESCR( )                                CHCKCLNT(OPTIONAL)
   CHCKLOCL(OPTIONAL)                      FAILDLAY(1)
   AUTHENMD(OS)

the channel(s) are setup like:
Code:
   CHANNEL(ORG.APP.APPNAME)             CHLTYPE(SVRCONN)
   ALTDATE(2018-12-03)                     ALTTIME(14.59.00)
   CERTLABL( )                             COMPHDR(NONE)
   COMPMSG(NONE)                           DESCR( )
   DISCINT(0)                              HBINT(300)
   KAINT(AUTO)                             MAXINST(999999999)
   MAXINSTC(999999999)                     MAXMSGL(25165824)
   MCAUSER( )                              MONCHL(QMGR)
   RCVDATA( )                              RCVEXIT( )
   SCYDATA( )                              SCYEXIT( )
   SENDDATA( )                             SENDEXIT( )
   SHARECNV(10)                            SSLCAUTH(REQUIRED)
   SSLCIPH( )                              SSLPEER( )
   TRPTYPE(TCP)

and the only chlauth:
Code:
   CHLAUTH(ORG.APP.APPNAME)             TYPE(USERMAP)
   DESCR(Allow user as mqm on local subnet)
   CUSTOM( )                               ADDRESS(*)
   CLNTUSER(appsuserid)                  MCAUSER(mqm)
   USERSRC(MAP)                            CHCKCLNT(ASQMGR)
   ALTDATE(2018-11-06)                     ALTTIME(09.25.50)


There is no "appsuserid" in /etc/passwd. But when I connect with that user on that channel the connection works.
if I setup a new channel and chlauth with exactly the same attributes and values and try to connect with the same user id get in compatbility mode:
AMQ9557E: Queue Manager User ID initialization failed for 'appuserid'
and using MQCSP:
Code:

AMQ5534E: User ID 'appuserid' authentication failed

...

AMQ5542I: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(OPTIONAL) configuration.

EXPLANATION:
The user ID 'appuserid' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(OPTIONAL).


My questions are, how does MQ authenticate when the users are not locally installed (and obviously no ldap configured) ? is it only "blindly" mapping usernames to MCAUSER if the provided username matches CLNTUSER ?

What could I be missing when trying to recreate the setup with a new channel / chlauth pair ?

Kind Regards,
Gerhard
[/code]
_________________
You win again gravity !
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Thu May 14, 2020 11:25 am    Post subject: Re: Question on chlauth usermap Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

You didn't show us CONNAUTH.
Code:
dis qmgr CONNAUTH


crashdog wrote:
is it only "blindly" mapping usernames to MCAUSER if the provided username matches CLNTUSER ?

Yes, if the QMgr's CONNAUTH is blank.

And you shouldn't have 'mqm' UserId set in the channel's MCAUSER attribute for anyone to use.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
crashdog
PostPosted: Thu May 14, 2020 11:29 pm    Post subject: Reply with quote

Voyager

Joined: 02 Apr 2017
Posts: 77

thank you for the input Roger,
The qmgrs CONNAUTH is set to SYSTEM.DEFAULT.AUTHINFO.IDPWOS. Which again is setup as mentioned above.
Quote:
Yes, if the QMgr's CONNAUTH is blank.

So since CONNAUTH is not empty it means that MQ is trying to lookup the users in /etc/passwd ? None of the users in CLNTUSER is locally defined, but it appears that they are mapped to 'mqm' anyway.

yes of course no user should be mapped to mqm, that's the target of the clean up. But I have to try to understand what the current installation is. Unfortunately I can't just dump the qmgr and re-install every thing. Even if it would be the best solution.

Cheers,
Gerhard
_________________
You win again gravity !
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Fri May 15, 2020 12:22 pm    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

crashdog wrote:
The qmgrs CONNAUTH is set to SYSTEM.DEFAULT.AUTHINFO.IDPWOS. Which again is setup as mentioned above.

Just because you have "AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)" defined does not mean you are using it (bad assumption). You can have it defined and CONNAUTH be blank.

Here's one of my queue managers:
Code:
dis qmgr connauth
     6 : dis qmgr connauth
AMQ8408I: Display Queue Manager details.
   QMNAME(MQWT1)                           CONNAUTH( )
dis AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
     7 : dis AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
AMQ8566I: Display authentication information details.
   AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
   AUTHTYPE(IDPWOS)                        ADOPTCTX(YES)
   DESCR( )                                CHCKCLNT(REQDADM)
   CHCKLOCL(OPTIONAL)                      FAILDLAY(1)
   AUTHENMD(OS)                            ALTDATE(2019-11-09)
   ALTTIME(12.59.40)


You have "CHCKCLNT(OPTIONAL)" which means that if the application sends a UserId and Password then the queue manager will check it otherwise it is skipped. You can read the MQ Knowledge Center here or review Morag's presentation here regarding CHCKCLNT of OPTIONAL.

crashdog wrote:
None of the users in CLNTUSER is locally defined, but it appears that they are mapped to 'mqm' anyway.

Someone was being lazy and didn't care about security.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
hughson
PostPosted: Sun May 17, 2020 6:30 pm    Post subject: Re: Question on chlauth usermap Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

crashdog wrote:
and the only chlauth:
Code:
   CHLAUTH(ORG.APP.APPNAME)             TYPE(USERMAP)
   DESCR(Allow user as mqm on local subnet)
   CUSTOM( )                               ADDRESS(*)
   CLNTUSER(appsuserid)                  MCAUSER(mqm)
   USERSRC(MAP)                            CHCKCLNT(ASQMGR)
   ALTDATE(2018-11-06)                     ALTTIME(09.25.50)

This being the only CHLAUTH rule means it is indeed blindly mapping all connections to that channel that come from CLNTUSER(appsuserid) to mqm. The description says the rule is to allow all to be mqm from the local subnet, but that is a lie, since the rule allows in ALL IP addresses.

crashdog wrote:
There is no "appsuserid" in /etc/passwd.

User ids used only in CLNTUSER fields of CHLAUTH do not need to exist on the queue manager machine. They are only used for string comparison.

crashdog wrote:
But when I connect with that user on that channel the connection works.

Indeed - blindly mapping.

crashdog wrote:
if I setup a new channel and chlauth with exactly the same attributes and values and try to connect with the same user id get in compatbility mode:
AMQ9557E: Queue Manager User ID initialization failed for 'appuserid'
and using MQCSP:
Code:

AMQ5534E: User ID 'appuserid' authentication failed

...

AMQ5542I: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(OPTIONAL) configuration.

EXPLANATION:
The user ID 'appuserid' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with
CHCKCLNT(OPTIONAL).

This is failing because you are using MQ Explorer compatibility mode. You are using this to set your client side user id. It is causing the queue manager to check the user ID and password. If instead your CHLAUTH rule used your naturally obtained client side user ID, and didn't fake it with MQ Explorer and compatibility mode, there would be no overlap with the user ID and password checking.

crashdog wrote:
My questions are, how does MQ authenticate when the users are not locally installed (and obviously no ldap configured) ?

It can't - as you saw.

crashdog wrote:
is it only "blindly" mapping usernames to MCAUSER if the provided username matches CLNTUSER ?

With the setup your have shown us, yes it is blindly mapping.

crashdog wrote:
What could I be missing when trying to recreate the setup with a new channel / chlauth pair ?

You are trying to fakeup your client side user it to be appuserid. Instead make a CHLAUTH rule mapping your own client side user id.

Or better still add some authentication to the system. Mandate a logon to the machine be sent upon connection - i.e. one that exists on the queue manager machine, or look to providing digital certificates for anyone who is to have mqm authority remotely.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Question on chlauth usermap
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.