Presentation is loading. Please wait.

Presentation is loading. Please wait.

WMQ Channel Authentication Records

Published byShanon McCormick Modified over 8 years ago

Similar presentations

Presentation on theme: "WMQ Channel Authentication Records"— Presentation transcript:

1 WMQ Channel Authentication Records
Xin Po Zhang WebSphere MQ L2 Support May 2014

2 Agenda Channel Authentication Records( CHLAUTH) Overview
Operations on CHLAUTH Using CHLAUTH Examples: USERMAP and QMGRMAP Notes about CHLAUTH WebSphere® Support Technical Exchange

3 CHLAUTH Overview WebSphere® Support Technical Exchange

4 MQ Security: Authentication and Authorization
Authentication: Verification of a claimed identity Authentication at connection level Authentication at message level (AMS) Authorization: Set of rules (authorities) granted to a particular user or group of users which allow access to named objects Object Authority Manager Related commands: setmqaut, dspmqaut, dmpmqaut Queue: SYSTEM.AUTH.DATA.QUEUE WebSphere® Support Technical Exchange

5 Channel Authentication Records
Channel Authentication Records: Filter inbound connection requests based on one or more of three criteria. Asserted identity that is presented by the channel IP address of the remote partner that is requesting the connection Distinguished name of the certificate that is presented by a SSL/TLS channel WebSphere® Support Technical Exchange

6 Functions of CHLAUTH Block connections from specific IP addresses.
Block connections from specific user IDs. Set an MCAUSER value to be used for any channel connecting from a specific queue manager. Set an MCAUSER value to be used for any channel connecting from a specific IP address. Set an MCAUSER value to be used for any channel asserting a specific user ID. Set an MCAUSER value to be used for any channel having a specific SSL or TLS DN. WebSphere® Support Technical Exchange

7 Operations on CHLAUTH WebSphere® Support Technical Exchange

8 MQSC Command: SET CHLAUTH
SET CHLAUTH ( ----generic-channel-name-- ) Blocking Block TYPE(BLOCKUSER)--USERLIST--(----user-name-+--) > WARN(YES/NO) TYPE(BLOCKADDR)--ADDRLIST--(----generic-ip-address-+--) > WARN(YES/NO) Note: The generic channel name must be '*' when TYPE is BLOCKADDR WebSphere® Support Technical Exchange

9 MQSC Command: SET CHLAUTH
Mapping Block TYPE(SSLPEERMAP)--SSLPEER--(generic-ssl-peer-name--) TYPE(ADDRESSMAP) TYPE(USERMAP)--CLNTUSER--(client-user-name--) TYPE(QMGRMAP)--QMNAME--(partner-qmgr-name-) -> USERSRC(MAP/NOACCESS/CHANNEL) -> MCAUSER--(--user --) -> ADDRESS--(--generic-ip-address--) WebSphere® Support Technical Exchange

10 MQSC Command: SET CHLAUTH
ACTION: ACTION(ADD) DESCR(' ') ACTION(REPLACE) ACTION(REMOVE)        ACTION(REMOVEALL) Technote: WebSphere MQ 7.1: How to remove a channel authentication record WebSphere® Support Technical Exchange

11 GUI: Using MQ Explorer to Create CHLAUTH
WebSphere® Support Technical Exchange

12 GUI: Using MQ Explorer to Create CHLAUTH
Note: At end of creating channel authentication record, it also creates the corresponding SET CHLAUTH command. WebSphere® Support Technical Exchange

13 Using CHLAUTH WebSphere® Support Technical Exchange

14 Interaction between Different Rules
Where a number of channel authentication records match a channel name, IP address, queue manager name, or SSL or TLS DN, the most specific match is used. For each element, the order is as below. Channel name A CHLAUTH using an SSL or TLS DN takes priority over a record using a user ID, queue manager name, or IP address. A CHLAUTH using a user ID or queue manager name takes priority over a record using an IP address. WebSphere® Support Technical Exchange

15 Default CHLAUTH Rules Set CHLAUTH(‘*’) type(BLOCKUSER) userlist (‘*MQADMIN’) Block all users that are in the MQ admin group, from connecting to the queue manager Set CHLAUTH(‘SYSTEM.*’) type(ADDRESSMAP) address(‘*’) usersrc(NOACCESS) Block connections to the queue manager, using any of the SYSTEM channels that are predefined Set CHLAUTH(SYSTEM.ADMIN.SVRCONN) type(ADDRESSMAP) address(‘*’) usersrc(CHANNEL) Allow connections to the queue manager, using SYSTEM.ADMIN.SVRCONN (MQ Explorer connections) WebSphere® Support Technical Exchange

16 Common Issue: 2035 or AMQ4036 Fail to connect a MQ 7.1/7.5 queue manager with a MQ Administrator ID. The error is 2035 or AMQ4036 2035: MQRC_NOT_AUTHORIZED Technote: WMQ 7.1 / 7.5 queue manager RC 2035 MQRC_NOT_AUTHORIZED or AMQ4036 when using client connection as an MQ Administrator WebSphere® Support Technical Exchange

17 Examples: USERMAP and QMGRMAP
WebSphere® Support Technical Exchange

18 Example 1: Using USERMAP
Scenario: Using the sample amqsputc from Linux to put messages to the queue at Windows 7. MQ version: MQ Client for Linux, MQ for Windows Linux User (Client): xizhang Windows Users: xinpozh (mqm user), mqtest(standard user) Queue Manger: QM7102 Queue: Q1 Channel: SERVER1 WebSphere® Support Technical Exchange

19 Example 1: Using USERMAP
Step 1: Run the sample amqsputc. Client side: Server side: WebSphere® Support Technical Exchange

20 Example 1: Using USERMAP
Step 2: Use CHLAUTH to fix the issue and define the following rule for the channel SERVER1. SET CHLAUTH('SERVER1') TYPE(USERMAP) CLNTUSER('xizhang') USERSRC(MAP) MCAUSER('xinpozh') ACTION(ADD) Client side: WebSphere® Support Technical Exchange

21 Example 1: Using USERMAP
Server side WebSphere® Support Technical Exchange

22 Example 1: Using USERMAP
Step 3: Edit the rule to fix the issue SET CHLAUTH('SERVER1') TYPE(USERMAP) CLNTUSER('xizhang') USERSRC(MAP) MCAUSER('mqtest') ACTION(REPLACE) Client side: WebSphere® Support Technical Exchange

23 Example 2: Using QMGRMAP in the Cluster
Scenario: In an IBM WebSphere MQ point-to-point network, each remote queue manager is associated with a different receiver channel. However, when implementing a cluster, all of the remote queue managers use the same cluster receiver channel. Task: Use QMGRMAP rule to map the remote queue managers to different user IDs. WebSphere® Support Technical Exchange

24 Example 2: Using QMGRMAP in the Cluster
Cluster: CLFR1, CLFR2, CLPR1, CLPR2 Channel: TO.CLFR1 WebSphere® Support Technical Exchange

25 Example 2: Using QMGRMAP in the Cluster
Step 1: Which user is used to run the channel when no CHLAUTH rule defined? WebSphere® Support Technical Exchange

26 Example 2: Using QMGRMAP in the Cluster
Step 2: Define below QMGRMAP rule: SET CHLAUTH('TO.CLFR1') TYPE(QMGRMAP) QMNAME('CLPR1') USERSRC(MAP) MCAUSER('mqtest') ACTION(ADD) DIS CHS(TO.CLFR1) MCAUSER WebSphere® Support Technical Exchange

27 Notes about CHLAUTH WebSphere® Support Technical Exchange

28 Some Important Notes Related to CHLAUTH
It’s risky to leave the MCAUSER as blank. For migrated queue managers, CHLAUTH is disabled as default. ALTER QMGR CHLAUTH(ENABLED) Be careful with generic specifications. The CHLAUTH rules are saved in the system queue SYSTEM.CHLAUTH.DATA.QUEUE as persistent messages. WebSphere® Support Technical Exchange

29 Additional Resources on MQ Security
WebSphere® Support Technical Exchange

30 Additional Resources on MQ Security
Redbook: Secure Messaging Scenarios with WebSphere MQ: CHLAUTH WSTE by Bill Newcomb Using CHLAUTH to lock down Administrative access with MQ Explorer Channel authentication records WebSphere® Support Technical Exchange

31 Additional WebSphere Product Resources
Learn about upcoming WebSphere Support Technical Exchange webcasts, and access previously recorded presentations at: Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: Join the Global WebSphere Community: Access key product show-me demos and tutorials by visiting IBM Education Assistant: View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically: Sign up to receive weekly technical My Notifications s: This chart includes links to a number of sites that provide valuable online resources for WebSphere products. Visit the WebSphere Support Technical Exchange site to learn more about upcoming WebSphere Support Technical Exchange webcasts, like the one you attended today, and access previously recorded presentations. developerWorks offers in-depth technical information. Visit websphereusergroup.org for user group information and more product information. The IBM Education Assistant consists of self-help modules to get new users up the learning curve quickly. The SR tool is for Passport Advantage clients to open, update and view PMRs online. And the My Notifications link on all product support pages lets you sign up for weekly updates for products of interest to you. WebSphere® Support Technical Exchange

32 Connect with us! Get notified on upcoming webcasts Send an or with subject line “wste subscribe” to get a list of mailing lists and to subscribe Tell us what you want to learn Send us suggestions for future topics or improvements about our webcasts to or Be connected! Connect with us on Facebook Connect with us on Twitter WebSphere® Support Technical Exchange

33 Questions and Answers WebSphere® Support Technical Exchange

Download ppt "WMQ Channel Authentication Records"

Similar presentations

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
IBM Software Group © 2004 IBM Corporation MQ Security.

IBM Software Group © 2004 IBM Corporation MQ Security.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Secure Communications … or, the usability of PKI.

Secure Communications … or, the usability of PKI.
Broadcast email service Core tools. Agenda 1.Introduction – email tool and its main features 2.Setting up and sending a simple broadcast email 3.Achieving.

Broadcast service Core tools. Agenda 1.Introduction – tool and its main features 2.Setting up and sending a simple broadcast 3.Achieving.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
Message Trace Office 365 May 2013.

Message Trace Office 365 May 2013.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.

1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.

1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.
Exchange Network Node Help Desk NOLA Conference Feb 9-10, 2004.

Exchange Network Node Help Desk NOLA Conference Feb 9-10, 2004.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.

1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
PRIOS ARA Limited Agent User Instructions PRIOS ARA Limited Agent User Instructions Professional Repossessors Interactive Operating System.

PRIOS ARA Limited Agent User Instructions PRIOS ARA Limited Agent User Instructions Professional Repossessors Interactive Operating System.
| | 1 IEHR SOA SUITE FOR THE VA/DOD FEDERATED HEALTHCARE ENTERPRISE GETTING ON THE BUS: AN INTRODUCTION TO USING THE GOVERNMENT AND CONTRACTOR SANDBOX.

| | 1 IEHR SOA SUITE FOR THE VA/DOD FEDERATED HEALTHCARE ENTERPRISE GETTING ON THE BUS: AN INTRODUCTION TO USING THE GOVERNMENT AND CONTRACTOR SANDBOX.
Module 4: Add Client Computers and Devices to the Network.

Module 4: Add Client Computers and Devices to the Network.
1 Session Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. Using the Cisco TAC Website for IP Routing Issues Cisco TAC Web Seminar.

1 Session Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. Using the Cisco TAC Website for IP Routing Issues Cisco TAC Web Seminar.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.

Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.
XP New Perspectives on Browser and E-mail Basics Tutorial 1 1 Browser and E-mail Basics Tutorial 1.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.

Similar presentations

Ads by Google