Topic
  • 11 replies
  • Latest Post - ‏2012-12-04T16:50:20Z by SystemAdmin
SystemAdmin
SystemAdmin
8523 Posts

Pinned topic MQ 7.1 new features : IP Address filtering

‏2012-11-21T16:03:59Z |
Hi,

I am not really familiar with MQ infrastructure, but we need to implement a communication channel between MQ on windows platform and MQ on mainframe.
I want to seek some expertise from here.

As my teammate told me that MQ on mainframe in previuos version (e.g. 6.1) can set authentication that only allow specific IP address of other windows
platform can connect to the queue on mainframe MQ, and the queues on the windows platform are all remote queues. But there is no IP address control such that other outside clients program (i.e. not running on the same host of MQ windows platform) can connect to the remote queues on windows platform. If we do not choose other authentication method such as logon id or SSL, then there is no way to prevent such unauthenticated connection to the remote queues on windows platform.

In MQ 7.1 I found that IP Address Filtering as new feature in this release, but can it apply to remote queues on MQ 7.1 windows platform?
Or only allow in mainframe platform again only?

Some articles state that it can only block IP addresses, but can it be set to allow specific IP addresses to connect to remote queues on windows platform?

If you have any useful links for this, please kindly share with me.

Really thanks for your attention,
Ray
Updated on 2014-03-06T11:57:13Z at 2014-03-06T11:57:13Z by Morag Hughson
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-11-21T16:15:41Z  
    MQ V7.1 (on Windows and z/OS and other platforms) introduced a feature to allow you to block, or allow connections from specific IP addresses. This can be used when the receiving end of the channel is on a queue manager at V7.1 or above, even if the sending or client end of the channel is on an older version of MQ.

    I suggest you start reading with this page in the Info Center:-

    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/zs14190_.htm

    Cheers
    Morag
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-11-29T17:49:21Z  
    MQ V7.1 (on Windows and z/OS and other platforms) introduced a feature to allow you to block, or allow connections from specific IP addresses. This can be used when the receiving end of the channel is on a queue manager at V7.1 or above, even if the sending or client end of the channel is on an older version of MQ.

    I suggest you start reading with this page in the Info Center:-

    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/zs14190_.htm

    Cheers
    Morag
    Hi Morag,

    Someone told me that the new features can only blocking specific IP address, but not allow to accept specific IP address.

    Do you have any idea of this?

    I can only found this from some documentation:

    • To set the Channel Authority
    + set chlauth(*) type(blockaddr) addrlist(<<IP address or IP address range>>) action(add)

    - To remove the Channel Authority
    + set chlauth(*) type(blockaddr) addrlist(<<IP address or IP address range>>) action(remove)

    - To Check what Channel Authority
    + DISPLAY CHLAUTH(*)

    Really appreciate your help,
    Ray
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-11-30T09:53:25Z  
    Hi Morag,

    Someone told me that the new features can only blocking specific IP address, but not allow to accept specific IP address.

    Do you have any idea of this?

    I can only found this from some documentation:

    • To set the Channel Authority
    + set chlauth(*) type(blockaddr) addrlist(<<IP address or IP address range>>) action(add)

    - To remove the Channel Authority
    + set chlauth(*) type(blockaddr) addrlist(<<IP address or IP address range>>) action(remove)

    - To Check what Channel Authority
    + DISPLAY CHLAUTH(*)

    Really appreciate your help,
    Ray

    Hi Ray,

    Here is an example of a CHLAUTH rule that will block an IP address

    
    SET CHLAUTH(
    '*') TYPE(ADDRESSMAP) ADDRESS(
    '1.2.3.4') USERSRC(NOACCESS)
    

    and here is an example of a CHLAUTH rule that will allow an IP address and give it a specific MCAUSER to run under.

     

    
    SET CHLAUTH(
    '*') TYPE(ADDRESSMAP) ADDRESS(
    '2.3.4.5') USERSRC(MAP) MCAUSER(
    'abc')
    


    These examples would be best combined with a rule that starts by blocking everything, and then only allowing in specific addresses, i.e. start with this rule:-

     

     

    
    SET CHLAUTH(
    '*') TYPE(ADDRESSMAP) ADDRESS(
    '*') USERSRC(NOACCESS) DESCR(
    'Block all addresses')
    


    Better to use TYPE(ADDRESSMAP) as above than to use TYPE(BLOCKADDR), then you can also put in specific channel names instead of CHLAUTH('*') which you can't do with TYPE(BLOCKADDR).

    Also, as your note correctly demonstrates, where I have a single address in the above examples, you can also put an address range, e.g. ADDRESS('1.2.3.1-10') or a wildcarded address, e.g. ADDRESS('1.2.3.*').

    Hope that helps,
    Cheers
    Morag

     

     

    Updated on 2014-03-06T11:58:05Z at 2014-03-06T11:58:05Z by Morag Hughson
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-11-30T17:14:17Z  

    Hi Ray,

    Here is an example of a CHLAUTH rule that will block an IP address

    <pre class="jive-pre" dir="ltr"> SET CHLAUTH( '*') TYPE(ADDRESSMAP) ADDRESS( '1.2.3.4') USERSRC(NOACCESS) </pre>

    and here is an example of a CHLAUTH rule that will allow an IP address and give it a specific MCAUSER to run under.

     

    <pre class="jive-pre" dir="ltr"> SET CHLAUTH( '*') TYPE(ADDRESSMAP) ADDRESS( '2.3.4.5') USERSRC(MAP) MCAUSER( 'abc') </pre>


    These examples would be best combined with a rule that starts by blocking everything, and then only allowing in specific addresses, i.e. start with this rule:-

     

     

    <pre class="jive-pre" dir="ltr"> SET CHLAUTH( '*') TYPE(ADDRESSMAP) ADDRESS( '*') USERSRC(NOACCESS) DESCR( 'Block all addresses') </pre>


    Better to use TYPE(ADDRESSMAP) as above than to use TYPE(BLOCKADDR), then you can also put in specific channel names instead of CHLAUTH('*') which you can't do with TYPE(BLOCKADDR).

    Also, as your note correctly demonstrates, where I have a single address in the above examples, you can also put an address range, e.g. ADDRESS('1.2.3.1-10') or a wildcarded address, e.g. ADDRESS('1.2.3.*').

    Hope that helps,
    Cheers
    Morag

     

     

    Hi Morag,

    Thanks for your prompt reply. I am not really familar with MQ commands so that I may not fully understand your post, but our remote queues has no MCAUSER defined, we only want to use IP adddress to allow specified server to connect from.

    Is it also to do this? You may use the command to illustrate how to do so so that I can ask my colleague to follow your suggestion.

    Many thanks in advance,
    Raymond
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-11-30T18:27:09Z  

    Hi Ray,

    Here is an example of a CHLAUTH rule that will block an IP address

    <pre class="jive-pre" dir="ltr"> SET CHLAUTH( '*') TYPE(ADDRESSMAP) ADDRESS( '1.2.3.4') USERSRC(NOACCESS) </pre>

    and here is an example of a CHLAUTH rule that will allow an IP address and give it a specific MCAUSER to run under.

     

    <pre class="jive-pre" dir="ltr"> SET CHLAUTH( '*') TYPE(ADDRESSMAP) ADDRESS( '2.3.4.5') USERSRC(MAP) MCAUSER( 'abc') </pre>


    These examples would be best combined with a rule that starts by blocking everything, and then only allowing in specific addresses, i.e. start with this rule:-

     

     

    <pre class="jive-pre" dir="ltr"> SET CHLAUTH( '*') TYPE(ADDRESSMAP) ADDRESS( '*') USERSRC(NOACCESS) DESCR( 'Block all addresses') </pre>


    Better to use TYPE(ADDRESSMAP) as above than to use TYPE(BLOCKADDR), then you can also put in specific channel names instead of CHLAUTH('*') which you can't do with TYPE(BLOCKADDR).

    Also, as your note correctly demonstrates, where I have a single address in the above examples, you can also put an address range, e.g. ADDRESS('1.2.3.1-10') or a wildcarded address, e.g. ADDRESS('1.2.3.*').

    Hope that helps,
    Cheers
    Morag

     

     

    Hi Morag,

    Does it mean I issue two command sets :

    SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
    SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('2.3.4.5') USERSRC(MAP)

    So that it blocks everything except IP address 2.3.4.5?

    What is USERSRC(MAP)?

    Would you explain it briefly?

    Thanks,
    Ray
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-12-03T11:23:35Z  
    Hi Morag,

    Does it mean I issue two command sets :

    SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
    SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('2.3.4.5') USERSRC(MAP)

    So that it blocks everything except IP address 2.3.4.5?

    What is USERSRC(MAP)?

    Would you explain it briefly?

    Thanks,
    Ray
    Hi Ray,

    Yes if you issue these two commands (note the MCAUSER was missing in your example) then it will block every address except IP address '2.3.4.5'
    
    SET CHLAUTH(
    '*') TYPE(ADDRESSMAP) ADDRESS(
    '*') USERSRC(NOACCESS) SET CHLAUTH(
    '*') TYPE(ADDRESSMAP) ADDRESS(
    '2.3.4.5') USERSRC(MAP) MCAUSER(
    'user1')
    


    When IP address '2.3.4.5' is detected as connecting to your queue manager it needs to run with a particular user ID.
    
    USERSRC(MAP) MCAUSER(
    'user1')
    

    is the part of the comand that assigns the user ID for this connection to run under. It is called "MAP" as it is mapping an IP Address to a user ID.

    Cheers
    Morag
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-12-03T17:27:06Z  
    Hi Ray,

    Yes if you issue these two commands (note the MCAUSER was missing in your example) then it will block every address except IP address '2.3.4.5'
    <pre class="jive-pre"> SET CHLAUTH( '*') TYPE(ADDRESSMAP) ADDRESS( '*') USERSRC(NOACCESS) SET CHLAUTH( '*') TYPE(ADDRESSMAP) ADDRESS( '2.3.4.5') USERSRC(MAP) MCAUSER( 'user1') </pre>

    When IP address '2.3.4.5' is detected as connecting to your queue manager it needs to run with a particular user ID.
    <pre class="jive-pre"> USERSRC(MAP) MCAUSER( 'user1') </pre>
    is the part of the comand that assigns the user ID for this connection to run under. It is called "MAP" as it is mapping an IP Address to a user ID.

    Cheers
    Morag
    Hi Morag,

    We may not have MCAUSER, will the following command works
    without MCAUSER? Or can I specify with asterisk?

    SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('2.3.4.5') USERSRC(MAP) MCAUSER('*')

    Thanks,
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-12-03T18:02:09Z  
    Hi Morag,

    We may not have MCAUSER, will the following command works
    without MCAUSER? Or can I specify with asterisk?

    SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('2.3.4.5') USERSRC(MAP) MCAUSER('*')

    Thanks,
    You do have MCAUSER, it is not something you can opt out of :-)

    You cannot specify MCAUSER('*').

    If you are not currently setting an MCAUSER on your channel definitions today, then you are likely allowing the client side user to flow through, or for qmgr-qmgr channels, you are allowing them to run with the priviledged user ID that the queue manager was started with. In order to continue with this (rather insecure) mode of operating, you can use this command instead:-

    
    SET CHLAUTH(
    '*') TYPE(ADDRESSMAP) ADDRESS(
    '2.3.4.5') USERSRC(CHANNEL)
    


    i.e. let the channel run with whatever user ID it already has and don't map it to anything else.

    You might want to review your channel security though to ensure that you are OK just doing this.

    Cheers
    Morag
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-12-04T13:13:40Z  
    You do have MCAUSER, it is not something you can opt out of :-)

    You cannot specify MCAUSER('*').

    If you are not currently setting an MCAUSER on your channel definitions today, then you are likely allowing the client side user to flow through, or for qmgr-qmgr channels, you are allowing them to run with the priviledged user ID that the queue manager was started with. In order to continue with this (rather insecure) mode of operating, you can use this command instead:-

    <pre class="jive-pre"> SET CHLAUTH( '*') TYPE(ADDRESSMAP) ADDRESS( '2.3.4.5') USERSRC(CHANNEL) </pre>

    i.e. let the channel run with whatever user ID it already has and don't map it to anything else.

    You might want to review your channel security though to ensure that you are OK just doing this.

    Cheers
    Morag
    Hi Morag,

    I see. Many thanks!
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-12-04T15:51:32Z  
    You do have MCAUSER, it is not something you can opt out of :-)

    You cannot specify MCAUSER('*').

    If you are not currently setting an MCAUSER on your channel definitions today, then you are likely allowing the client side user to flow through, or for qmgr-qmgr channels, you are allowing them to run with the priviledged user ID that the queue manager was started with. In order to continue with this (rather insecure) mode of operating, you can use this command instead:-

    <pre class="jive-pre"> SET CHLAUTH( '*') TYPE(ADDRESSMAP) ADDRESS( '2.3.4.5') USERSRC(CHANNEL) </pre>

    i.e. let the channel run with whatever user ID it already has and don't map it to anything else.

    You might want to review your channel security though to ensure that you are OK just doing this.

    Cheers
    Morag
    Suddenly think of a question, suppose "2.3.4.5" is a trusted server IP address

    SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('2.3.4.5') USERSRC(CHANNEL)

    Then this command can allow connections from 2.3.4.5 without having MCAUSER need.

    Is this idea ok?

    Thanks,
    Ray
  • SystemAdmin
    SystemAdmin
    8523 Posts

    Re: MQ 7.1 new features : IP Address filtering

    ‏2012-12-04T16:50:20Z  
    Suddenly think of a question, suppose "2.3.4.5" is a trusted server IP address

    SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('2.3.4.5') USERSRC(CHANNEL)

    Then this command can allow connections from 2.3.4.5 without having MCAUSER need.

    Is this idea ok?

    Thanks,
    Ray
    You are correct - that command will allow in a connection without explicitly setting an MCAUSER.

    If a client it will use the flowed client-side user ID.
    If a qmgr-qmgr channel, it will run under the user ID that the qmgr was started with.

    So it is not that there is no MCAUSER, it is just you have not been aware of it.

    You can see what MCAUSER all your channels are currently running with by using

    
    DISPLAY CHSTATUS(chl-name) MCAUSER
    


    Cheers
    Morag