Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
11 replies Latest Post - ‏2012-12-04T16:50:20Z by SystemAdmin
SystemAdmin
SystemAdmin
8523 Posts
ACCEPTED ANSWER

Pinned topic MQ 7.1 new features : IP Address filtering

‏2012-11-21T16:03:59Z |
Hi,

I am not really familiar with MQ infrastructure, but we need to implement a communication channel between MQ on windows platform and MQ on mainframe.
I want to seek some expertise from here.

As my teammate told me that MQ on mainframe in previuos version (e.g. 6.1) can set authentication that only allow specific IP address of other windows
platform can connect to the queue on mainframe MQ, and the queues on the windows platform are all remote queues. But there is no IP address control such that other outside clients program (i.e. not running on the same host of MQ windows platform) can connect to the remote queues on windows platform. If we do not choose other authentication method such as logon id or SSL, then there is no way to prevent such unauthenticated connection to the remote queues on windows platform.

In MQ 7.1 I found that IP Address Filtering as new feature in this release, but can it apply to remote queues on MQ 7.1 windows platform?
Or only allow in mainframe platform again only?

Some articles state that it can only block IP addresses, but can it be set to allow specific IP addresses to connect to remote queues on windows platform?

If you have any useful links for this, please kindly share with me.

Really thanks for your attention,
Ray
Updated on 2014-03-06T11:57:13Z at 2014-03-06T11:57:13Z by Morag Hughson
  • SystemAdmin
    SystemAdmin
    8523 Posts
    ACCEPTED ANSWER

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-11-21T16:15:41Z  in response to SystemAdmin
    MQ V7.1 (on Windows and z/OS and other platforms) introduced a feature to allow you to block, or allow connections from specific IP addresses. This can be used when the receiving end of the channel is on a queue manager at V7.1 or above, even if the sending or client end of the channel is on an older version of MQ.

    I suggest you start reading with this page in the Info Center:-

    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/zs14190_.htm

    Cheers
    Morag
    • SystemAdmin
      SystemAdmin
      8523 Posts
      ACCEPTED ANSWER

      Re: MQ 7.1 new features : IP Address filtering

      ‏2012-11-29T17:49:21Z  in response to SystemAdmin
      Hi Morag,

      Someone told me that the new features can only blocking specific IP address, but not allow to accept specific IP address.

      Do you have any idea of this?

      I can only found this from some documentation:

      • To set the Channel Authority
      + set chlauth(*) type(blockaddr) addrlist(<<IP address or IP address range>>) action(add)

      - To remove the Channel Authority
      + set chlauth(*) type(blockaddr) addrlist(<<IP address or IP address range>>) action(remove)

      - To Check what Channel Authority
      + DISPLAY CHLAUTH(*)

      Really appreciate your help,
      Ray
      • SystemAdmin
        SystemAdmin
        8523 Posts
        ACCEPTED ANSWER

        Re: MQ 7.1 new features : IP Address filtering

        ‏2012-11-30T09:53:25Z  in response to SystemAdmin

        Hi Ray,

        Here is an example of a CHLAUTH rule that will block an IP address

        
        SET CHLAUTH(
        '*') TYPE(ADDRESSMAP) ADDRESS(
        '1.2.3.4') USERSRC(NOACCESS)
        

        and here is an example of a CHLAUTH rule that will allow an IP address and give it a specific MCAUSER to run under.

         

        
        SET CHLAUTH(
        '*') TYPE(ADDRESSMAP) ADDRESS(
        '2.3.4.5') USERSRC(MAP) MCAUSER(
        'abc')
        


        These examples would be best combined with a rule that starts by blocking everything, and then only allowing in specific addresses, i.e. start with this rule:-

         

         

        
        SET CHLAUTH(
        '*') TYPE(ADDRESSMAP) ADDRESS(
        '*') USERSRC(NOACCESS) DESCR(
        'Block all addresses')
        


        Better to use TYPE(ADDRESSMAP) as above than to use TYPE(BLOCKADDR), then you can also put in specific channel names instead of CHLAUTH('*') which you can't do with TYPE(BLOCKADDR).

        Also, as your note correctly demonstrates, where I have a single address in the above examples, you can also put an address range, e.g. ADDRESS('1.2.3.1-10') or a wildcarded address, e.g. ADDRESS('1.2.3.*').

        Hope that helps,
        Cheers
        Morag

         

         

        Updated on 2014-03-06T11:58:05Z at 2014-03-06T11:58:05Z by Morag Hughson
        • SystemAdmin
          SystemAdmin
          8523 Posts
          ACCEPTED ANSWER

          Re: MQ 7.1 new features : IP Address filtering

          ‏2012-11-30T17:14:17Z  in response to SystemAdmin
          Hi Morag,

          Thanks for your prompt reply. I am not really familar with MQ commands so that I may not fully understand your post, but our remote queues has no MCAUSER defined, we only want to use IP adddress to allow specified server to connect from.

          Is it also to do this? You may use the command to illustrate how to do so so that I can ask my colleague to follow your suggestion.

          Many thanks in advance,
          Raymond
        • SystemAdmin
          SystemAdmin
          8523 Posts
          ACCEPTED ANSWER

          Re: MQ 7.1 new features : IP Address filtering

          ‏2012-11-30T18:27:09Z  in response to SystemAdmin
          Hi Morag,

          Does it mean I issue two command sets :

          SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
          SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('2.3.4.5') USERSRC(MAP)

          So that it blocks everything except IP address 2.3.4.5?

          What is USERSRC(MAP)?

          Would you explain it briefly?

          Thanks,
          Ray
          • SystemAdmin
            SystemAdmin
            8523 Posts
            ACCEPTED ANSWER

            Re: MQ 7.1 new features : IP Address filtering

            ‏2012-12-03T11:23:35Z  in response to SystemAdmin
            Hi Ray,

            Yes if you issue these two commands (note the MCAUSER was missing in your example) then it will block every address except IP address '2.3.4.5'
            
            SET CHLAUTH(
            '*') TYPE(ADDRESSMAP) ADDRESS(
            '*') USERSRC(NOACCESS) SET CHLAUTH(
            '*') TYPE(ADDRESSMAP) ADDRESS(
            '2.3.4.5') USERSRC(MAP) MCAUSER(
            'user1')
            


            When IP address '2.3.4.5' is detected as connecting to your queue manager it needs to run with a particular user ID.
            
            USERSRC(MAP) MCAUSER(
            'user1')
            

            is the part of the comand that assigns the user ID for this connection to run under. It is called "MAP" as it is mapping an IP Address to a user ID.

            Cheers
            Morag
            • SystemAdmin
              SystemAdmin
              8523 Posts
              ACCEPTED ANSWER

              Re: MQ 7.1 new features : IP Address filtering

              ‏2012-12-03T17:27:06Z  in response to SystemAdmin
              Hi Morag,

              We may not have MCAUSER, will the following command works
              without MCAUSER? Or can I specify with asterisk?

              SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('2.3.4.5') USERSRC(MAP) MCAUSER('*')

              Thanks,
              • SystemAdmin
                SystemAdmin
                8523 Posts
                ACCEPTED ANSWER

                Re: MQ 7.1 new features : IP Address filtering

                ‏2012-12-03T18:02:09Z  in response to SystemAdmin
                You do have MCAUSER, it is not something you can opt out of :-)

                You cannot specify MCAUSER('*').

                If you are not currently setting an MCAUSER on your channel definitions today, then you are likely allowing the client side user to flow through, or for qmgr-qmgr channels, you are allowing them to run with the priviledged user ID that the queue manager was started with. In order to continue with this (rather insecure) mode of operating, you can use this command instead:-

                
                SET CHLAUTH(
                '*') TYPE(ADDRESSMAP) ADDRESS(
                '2.3.4.5') USERSRC(CHANNEL)
                


                i.e. let the channel run with whatever user ID it already has and don't map it to anything else.

                You might want to review your channel security though to ensure that you are OK just doing this.

                Cheers
                Morag
                • SystemAdmin
                  SystemAdmin
                  8523 Posts
                  ACCEPTED ANSWER

                  Re: MQ 7.1 new features : IP Address filtering

                  ‏2012-12-04T13:13:40Z  in response to SystemAdmin
                  Hi Morag,

                  I see. Many thanks!
                • SystemAdmin
                  SystemAdmin
                  8523 Posts
                  ACCEPTED ANSWER

                  Re: MQ 7.1 new features : IP Address filtering

                  ‏2012-12-04T15:51:32Z  in response to SystemAdmin
                  Suddenly think of a question, suppose "2.3.4.5" is a trusted server IP address

                  SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('2.3.4.5') USERSRC(CHANNEL)

                  Then this command can allow connections from 2.3.4.5 without having MCAUSER need.

                  Is this idea ok?

                  Thanks,
                  Ray
                  • SystemAdmin
                    SystemAdmin
                    8523 Posts
                    ACCEPTED ANSWER

                    Re: MQ 7.1 new features : IP Address filtering

                    ‏2012-12-04T16:50:20Z  in response to SystemAdmin
                    You are correct - that command will allow in a connection without explicitly setting an MCAUSER.

                    If a client it will use the flowed client-side user ID.
                    If a qmgr-qmgr channel, it will run under the user ID that the qmgr was started with.

                    So it is not that there is no MCAUSER, it is just you have not been aware of it.

                    You can see what MCAUSER all your channels are currently running with by using

                    
                    DISPLAY CHSTATUS(chl-name) MCAUSER
                    


                    Cheers
                    Morag