Bitesize Blogging: MQ V8 - Hostnames in CHLAUTH
Graham_Richards 270004KNPE Visits (4150)
We have listened to your feedback and delivered one of the most voted for Request for Enhancement - CHLA
Hostnames can be used in almost all places in channel authentication records that IP address could be used.
SET CHLAUTH(‘*’) TYPE(SSLPEERMAP) SSLPEER(‘CN=“Graham Richards”’) ADDRESS(‘s*.ibm.*’) MCAUSER(RICHARDS)
The one exception to this is the TYPE(BLOCKADDR) record. This is only going to accept IP addresses. If you want to block addresses with CHLAUTH rules permanently in MQ, rather than via your IP firewall, you should be doing it using the TYPE(ADDRESSMAP) record and specifying USERSRC(NOACCESS).
SET CHLAUTH(‘APPL1.*’) TYPE(ADDRESSMAP) ADDR
All CHLAUTH rules follow a precedence order to determine which rule is used when multiple match an incoming connection. Hostnames are at the bottom of the precedence order list as they are considered less specific than IP addresses since a single IP address could have multiple hostnames.
Obtaining a hostname - RevDNS
Since the hostname is not sent from the other end of a channel or TCP/IP we need to ask the Domain Name Server (DNS) to provide the hostname of the IP address that we get from the socket. You will already be using the DNS if you use hostnames in your CONNAME fields, but for CHLAUTH we would need to reverse look-up IP address to find the hostname. This may not be possible in your current set up if your client applications or sender channel IP addresses are not currently in your DNS. In order for hostname rules to be used, this must be the case.
If this reverse look-up is not possible then any CHLAUTH rules with hostnames will not be matched. If you do not want reverse look-up to be used you can set the new QMGR attribute REVDNS to disabled
ALTER QMGR REVDNS(DISABLED)
When REVDNS is ENABLED, the reverse look-up of the IP Address to retrieve the hostname will still only be done when it is required. If you do not use hostnames in CHLAUTH rules, then the only time a reverse look-up will be done is when writing an error message which contains that information. This is the same as the product behavior pre-V8
When a channel is blocked you received a message giving you all the pieces of information to work out why. In MQ V8.0 these messages can now contain hostnames for each IP address. If a hostname is not shown then either REVDNS is DISABLED or that the reverse DNS look-up was unable to obtain a hostname for this IP address.
AMQ9777: Channel was blocked EXPLANATION: The inbound channel 'SYS
When using the MATCH(RUNCHECK) command you do the same as before, you provide the IP address. The queue manager will then make the call to DNS as it would if the real inbound connection appeared and find out what the hostname is, then run the matching against the rules. If it was able to find out a hostname then it will match against a hostname rules, but if it was not, then it won’t.
If you have your queue manager configured to use REVDNS(DISABLED) and you also have some CHLAUTH rules that use hostnames, then a message will appear along with the output of the MATCH(RUNCHECK) display in the same way that it warns you the CHLAUTH is DISABLED.