ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportEffect of Connauth on MQ Cluster/Distributed setup

Post new topicReply to topic
Effect of Connauth on MQ Cluster/Distributed setup View previous topic :: View next topic
Author Message
dextermbmq
PostPosted: Wed Jun 03, 2020 11:35 pm Post subject: Effect of Connauth on MQ Cluster/Distributed setup Reply with quote

Acolyte

Joined: 26 Jul 2014
Posts: 73

Hello,

This post is verify the understanding around the connauth concepts. Currently the connauth is disabled on queue managers in our MQ estate.
If we enable the connauth with below authinfo object

AUTHTYPE(IDPWOS) ADOPTCTX(YES)
DESCR( ) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
AUTHENMD(OS)

This will only impact the connections made by the application on client mode (via SVRCONN type channel) and MQ - MQ communication like clustered communication with other queue managers and distributed communication with other queue managers would remain as is (No Impact). Please help me in validating this understanding

Second one is around CHLAUTH

Once CHLAUTH is enabled the default rule listed below should effect the existing Clustered and distributed communication since a running clusrcvr channel shows MCAUSER as "mqm" however post enabling the CHLAUTh i could see that none of the clustered and Distributed channels were affected and they kept in running state

AMQ8878I: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jun 04, 2020 12:26 am Post subject: Re: Effect of Connauth on MQ Cluster/Distributed setup Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6204

dextermbmq wrote:
Hello,

This post is verify the understanding around the connauth concepts. Currently the connauth is disabled on queue managers in our MQ estate.
If we enable the connauth with below authinfo object

AUTHTYPE(IDPWOS) ADOPTCTX(YES)
DESCR( ) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
AUTHENMD(OS)

This will only impact the connections made by the application on client mode (via SVRCONN type channel) and MQ - MQ communication like clustered communication with other queue managers and distributed communication with other queue managers would remain as is (No Impact). Please help me in validating this understanding...

What testing have you done to self-validate?

dextermbmq wrote:
...Second one is around CHLAUTH

Once CHLAUTH is enabled the default rule listed below should effect the existing Clustered and distributed communication since a running clusrcvr channel shows MCAUSER as "mqm" however post enabling the CHLAUTh i could see that none of the clustered and Distributed channels were affected and they kept in running state

AMQ8878I: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)

What happens when you stop those channels and try restarting them?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
dextermbmq
PostPosted: Thu Jun 04, 2020 2:22 am Post subject: Reply with quote

Acolyte

Joined: 26 Jul 2014
Posts: 73

What testing have you done to self-validate?

Tried restarting the SDR / RCVR pair and CLUSSDR/CLUSRCVR pair post enabling the connauth and refreshing the security (even restarted the qmgr - although wasn't needed). Everything worked fine without any issues.

For application testing , created a new OS user(and associated password), used amqsputc by exporting env variable MQSAMP_USER_ID for the OS user and tried connecting to the MQ using the OS level user and password -->working with correct password / failing with incorrect password (expected)

As I said , this was to validate my understanding



What happens when you stop those channels and try restarting them?
The channels come up fine without any issues.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jun 04, 2020 6:57 pm Post subject: Re: Effect of Connauth on MQ Cluster/Distributed setup Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1506
Location: Bay of Plenty, New Zealand

dextermbmq wrote:
Hello,

This post is verify the understanding around the connauth concepts. Currently the connauth is disabled on queue managers in our MQ estate.
If we enable the connauth with below authinfo object

AUTHTYPE(IDPWOS) ADOPTCTX(YES)
DESCR( ) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) FAILDLAY(1)
AUTHENMD(OS)

This will only impact the connections made by the application on client mode (via SVRCONN type channel) and MQ - MQ communication like clustered communication with other queue managers and distributed communication with other queue managers would remain as is (No Impact). Please help me in validating this understanding


To be absolutely certain that CONNAUTH does not affect locally bound connections you should use CHCKLOCL(NONE). Using OPTIONAL could affect applications that are written in Java and set a user ID without a password as a way of doing the equivalent of run-as. These would now fail because they would have the password checked and it wouldn't match.

The above issue won't affect channels as they are not Java applications.

dextermbmq wrote:
Second one is around CHLAUTH

Once CHLAUTH is enabled the default rule listed below should effect the existing Clustered and distributed communication since a running clusrcvr channel shows MCAUSER as "mqm" however post enabling the CHLAUTh i could see that none of the clustered and Distributed channels were affected and they kept in running state

AMQ8878I: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER)
USERLIST(*MQADMIN)


TYPE(BLOCKUSER) only applies to SVRCONNs.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
dextermbmq
PostPosted: Fri Jun 05, 2020 1:31 am Post subject: Reply with quote

Acolyte

Joined: 26 Jul 2014
Posts: 73

Thanks a lot Morag
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportEffect of Connauth on MQ Cluster/Distributed setup
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.