| Author |
Message
|
| ttechsavvy |
 Posted: Wed May 05, 2021 3:56 am Post subject: Queue/channel security |
 |
|
Novice
Joined: 09 Sep 2020
Posts: 10
|
Hello
Kind of beginner question but how (or is it even possible) to implement user/pass security qmgr to qmgr set up?
Backstory: We have set up mq server (v9.2.1) and have couple of connected partners. They use mq qmgr so we have server to server connections. We also have one internal client connection which collects messages from different queues. In client connection, I have implemented user/pass security and gave authorizations inside mq server to connect and consume messages.
How would I configure the same with the server to server connection? Add user to local system, give authorizations inside mq server and partner adds user/pass to channel configuration? I tried this but havent had any luck |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Wed May 05, 2021 4:25 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
What o/s platform(s)?
How exactly have you implemented MQ user/pass security so far?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| ttechsavvy |
| Posted: Wed May 05, 2021 4:36 am Post subject: |
|
|
Novice
Joined: 09 Sep 2020
Posts: 10
|
Server is running on Linux.
With our internal client connection, I added user/pass to local server (Linux) and gave authorizations to this user (connect to qmgr, consume messages from queues). Client is an Java application and uses these credentials |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed May 05, 2021 5:47 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
I asked you to be precise. How exactly did you add user/pass? What exactly did you do?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| ttechsavvy |
| Posted: Wed May 05, 2021 6:15 am Post subject: |
|
|
Novice
Joined: 09 Sep 2020
Posts: 10
|
Sorry, here are the steps:
Linux:
useradd user
passwd user
Ibm MQ:
setmqaut -m qmgr -t qmgr -p user +connect
setmqaut -m qmgr -n queue -t queue -p user +put
So where to I have to add these credentials? Channel (mcauser and password)? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed May 05, 2021 6:29 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
So, with a bit more technical MQ terminology precision, you have SENDER-RECIEVER channels between qmgrs.
Search google for MQ CHLAUTH records. CHLAUTH records can ascribe an identity to a channel end, and allow/refuse connection based on the partners DNS identity.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed May 05, 2021 6:46 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to security forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed May 05, 2021 7:36 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
You have mentioned user/pass in your post. MQ relies on the o/s and/or an external security manager, like LDAP or PAM or RACF, to authenticate user/pass credentials.
If you are new to MQ, may I strongly suggest that you enroll in an MQ system administration course, and/or download and read MQ primer documentation.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed May 05, 2021 10:49 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| ttechsavvy wrote: |
setmqaut -m qmgr -t qmgr -p user +connect
setmqaut -m qmgr -n queue -t queue -p user +put
So where to I have to add these credentials? |
Setmqaut control command grants/removes authorizations to resources, not credentials.
| ttechsavvy wrote: |
| Channel (mcauser and password)? |
MCAUSER is a channel attribute you can define manually, or you can assign with CHLAUTH records.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| ttechsavvy |
| Posted: Thu May 06, 2021 4:04 am Post subject: |
|
|
Novice
Joined: 09 Sep 2020
Posts: 10
|
First of all, thanks for the replies and information.
Went through the documentation about CHLAUTH again and found interesting line for sender-receiver connection:
CHLAUTH rules can be used on any channel, but there are some restrictions. For example, USERMAP rules apply to SVRCONN channels only.
Link: https://www.ibm.com/docs/en/ibm-mq/9.2?topic=issues-creating-new-chlauth-rules-channels
So, let me get this straight:
There is no way to implement user/pass security without LDAP, PAM or RACF?
I just taught that I can apply the same chlauth records to sender-receiver connection as I did with the client.
Also what I tried:
Added new user to Linux. Gave authorization to connect to qmgr and consume messages for specific queue. Then, added new CHLAUTH record to allow connection from specific qmgr with previously created user.
This seems to work right now.
Pasting the commands again also:
| Code: |
# Lock down all access:
SET CHLAUTH('TO.MYSVR1') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
DESCR('Back-stop rule')
# Then allow access from queue manager MYSVR2 and from a particular ipaddress:
SET CHLAUTH('TO.MYSVR1') TYPE(QMGRMAP) QMNAME('MYSVR2') USERSRC(MAP)
MCAUSER('mqapp') ADDRESS('192.168.1.134') ACTION(ADD)
|
|
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu May 06, 2021 5:57 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| ttechsavvy wrote: |
So, let me get this straight:
There is no way to implement user/pass security without LDAP, PAM or RACF? |
Please be precise. User/pass security of what?
CONNAUTH rules specify where user and password SUPPLIED BY AN APPLICATION will be authenticated - either the o/s or LDAP.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu May 06, 2021 9:04 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| ttechsavvy wrote: |
Also what I tried:
Added new user to Linux. Gave authorization to connect to qmgr and consume messages for specific queue. Then, added new CHLAUTH record to allow connection from specific qmgr with previously created user.
This seems to work right now.
Pasting the commands again also:
| Code: |
# Lock down all access:
SET CHLAUTH('TO.MYSVR1') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
DESCR('Back-stop rule')
# Then allow access from queue manager MYSVR2 and from a particular ipaddress:
SET CHLAUTH('TO.MYSVR1') TYPE(QMGRMAP) QMNAME('MYSVR2') USERSRC(MAP)
MCAUSER('mqapp') ADDRESS('192.168.1.134') ACTION(ADD)
|
|
So what you describe is assigning the user ID 'mqapp' to be used for authority for that channel from that queue manager. No where in the above is a password utilised. So there is no proof that this queue manager is allowed to use this user ID except for the fact that it has made a connection from the IP address you mention. If that's what you want, all good, but you seem to have mentioned user/pass a number of times throughout this thread, and I just wanted to make sure you realise that you are not using the password at all here.
You appear to have also already discovered that there is a difference between the CHLAUTH rules that can be applied to a QMgr-QMgr channel versus a Client-SvrConn channel. This is because the Client-SvrConn is DIRECTLY connected to the application and so user IDs and password from inside the application can be made use of. For QMgr-QMgr channels there is no direct link to the application so only things related to the network connection (IP address, qmgr-name, and SSL x509 attributes) an be used in CHLAUTH. There is no User/Password involved in the QMgr-QMgr channel to be processed as part of CHLAUTH or CONNAUTH.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| ttechsavvy |
| Posted: Fri May 07, 2021 3:18 am Post subject: |
|
|
Novice
Joined: 09 Sep 2020
Posts: 10
|
| Thanks for the explanation! This is what I was trying to figure out. |
|
| Back to top |
|
|
|
|
