Creating new CHLAUTH rules for users
Some common scenarios for users , and example CHLAUTH rules to accomplish these.
Controlling access for specific MQ-admin users
For this scenario, setup a server connection channel that is to be exclusively used for an
administrative perspective, that is, to connect from IBM® MQ Explorer. You have a specific channel for this usage, and
defined IP address, or addresses, from where you want connections to be accepted, and access blocked
for the 'mqm'
ID, if the connection is not from one of the specified IP
addresses.
MQ-admin
users called
ADMIN.CHAN
:runmqsc: DEFINE CHANNEL (ADMIN.CHAN) CHLTYPE (SVRCONN) TRPTYPE (TCP)
For testing, ensure that you have a user defined that is in the MQ-admin
group, and
one that is not. For this scenario, mqadm
is in the MQ-admin
group, and alice
is not.MQ-admin
from certain
IP addresses:- Set NOACCESS from any address
- Set BLOCKUSER for this channel to only block user
nobody
, which overrides the *MQADMIN BLOCKUSER - ALLOW access to user
mqadm
on a specific subnet of addresses, and MAP tomqadm
user authority
runmqsc:
SET CHLAUTH (ADMIN.CHAN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
SET CHLAUTH('ADMIN.CHAN') TYPE(BLOCKUSER) +
DESCR('Rule to override *MQADMIN blockuser on this channel') +
USERLIST('nobody') ACTION(replace)
SET CHLAUTH('ADMIN.CHAN') TYPE(USERMAP) +
CLNTUSER('mqadm') USERSRC(MAP) MCAUSER('mqadm') +
ADDRESS('192.168.1.*') +
DESCR('Allow mqadm as mqadm on local subnet') ACTION(ADD)
At
this point, the user mqadm
can access and start the ADMIN.CHAN channel, from the
specified IP address range.
runmqsc:
DISPLAY CHLAUTH (ADMIN.CHAN) MATCH (RUNCHECK) CLNTUSER ('mqadm') ADDRESS
('192.168.1.138')
AMQ8878: Display channel authentication record details.
CHLAUTH(ADMIN.CHAN) TYPE(USERMAP)
ADDRESS(192.168.1.*) CLNTUSER(mqadm)
MCAUSER(mqadm)
DISPLAY CHLAUTH (ADMIN.CHAN) MATCH (RUNCHECK) CLNTUSER ('alice') ADDRESS
('192.168.1.138')
AMQ8878: Display channel authentication record details.
CHLAUTH(ADMIN.CHAN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
At
this point, only the users that have a CHLAUTH record are allowed to access using the
ADMIN.CHAN.Controlling access for a specific user and IBM MQ client application
For this scenario, the default CHLAUTH rules are adequate, assuming IBM MQ authority should be set for a specific user, to provide the correct IBM MQ authority (using setmqaut).
mqapp1
, who is not an
MQ-admin
user. Make a SVRCONN channel, APP1.CHAN, to be used by a particular
application and a specific
user.
runmqsc: DEFINE CHANNEL (APP1.CHAN) CHLTYPE (SVRCONN) TRPTYPE (TCP)
With the default CHLAUTH rules in place, user
mqapp1
can start the APP1.CHAN channel.
The user Id coming from the IBM MQ client application
is used for IBM MQ object authority checking. In this
case, assuming the 'mqapp1' user is running the IBM MQ
client app, this is used for IBM MQ object authority
checking. Therefore, if mqapp1
has access to the IBM MQ objects the application needs, all is fine; if not you
will get authority errors.
mqapp1
user Id but, under the default rules, no member of the
MQ-admin
group can access this
channel.
runmqsc:
SET CHLAUTH (APP1.CHAN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
SET CHLAUTH('APP1.CHAN') TYPE(USERMAP) +
CLNTUSER('mqapp1') USERSRC(MAP) MCAUSER('mqapp1') +
DESCR('Allow mqapp1 as mqapp1 on local subnet') ACTION(ADD)
Controlling access for a specific user by using the certificate distinguished name (DN) of that user
For this scenario, the user must have a certificate that is flowed to the queue manager. The DN is then matched against the SSLPEER setting of the CHLAUTH rule, and the SSLPEER can use wildcard characters.
If matched, the user can also be mapped to a different MCAUSER for purposes of checking the IBM MQ object authorities. Mapping the MCAUSER can minimize the number of users that need to be managed in the IBM MQ object authority manager (OAM).
- Block all users for a particular channel
- Allow only users with a particular SSLPEER who use the client of that user for IBM MQ OAM access.
.
# block all users on any IP address.
SET CHLAUTH('SSL1.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*')
USERSRC(NOACCESS) DESCR(''block all'') WARN(NO) ACTION(ADD)
.
# override - no MQM admin rule (allow mqm group /mqm admin users to
connect.
SET CHLAUTH('SSL1.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody')
DESCR('override no mqm admin rule') WARN(NO) ACTION(ADD)
.
# allow particular SSLPEER, use client id coming in from channel
SET CHLAUTH('SSL1.SVRCONN') TYPE(SSLPEERMAP)
SSLPEER('CN=JOHNDOE,O=IBM,C=US') USERSRC(CHANNEL) ACTION(ADD)
The client user Id connecting on the channel is used for the IBM MQ OAM authority of IBM MQ objects; therefore the user Id must have appropriate IBM MQ authorities.
USERSRC(MAP) MCAUSER('mquser1')
instead of USERSRC(CHANNEL)
. Mapping a particular user to the mqm
user
This is an addition or modification to Controlling access for specific MQ-admin users.
mqm
user, or an
MQ-admin
user Id, that has IBM MQ
object authority setup in the IBM MQ
OAM.runmqsc:
SET CHLAUTH('ADMIN.CHAN') TYPE(USERMAP) +
CLNTUSER ('johndoe') USERSRC(MAP) MCAUSER ('mqm') +
ADDRESS('192.168.1-100.*') +
DESCR ('Allow johndoe as MQ-admin on local subnet') ACTION (ADD)
This allows and maps the johndoe
user over to the mqm
user for
the particular channel ADMIN.CHAN.