Discussion:
can one block IP 's and use usermaps on the same inbound connection using channel auth rules?
Costa, D. (Damian)
2014-09-29 14:34:28 UTC
Permalink
HI all,
So I was wondering if, using a set of chl auth rules, I can block ranges on IP connecting and map the user to a valid users on an inbound connection at the same time?
Ie check that the connection is coming from a particular IP range and validate the inbound client user ID as well?
thanks

********************
Nedbank Limited Reg No 1951/000009/06. The following link displays
the names of the Nedbank Board of Directors and Company Secretary.
[ http://www.nedbank.co.za/terms/DirectorsNedbank.htm ]
This email is confidential and is intended for the addressee only.
The following link will take you to Nedbank's legal notice.
[ http://www.nedbank.co.za/terms/EmailDisclaimer.htm ]
********************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Jefferson Lowrey
2014-09-29 15:09:49 UTC
Permalink
Different types of CHLAUTH records are applied in a different order. For
example, BLOCKUSER rules are applied last, afaik, and apply to the final
userid.

I couldn't find a page that listed the specific order in which rules are
applied - it may not actually be as straightforward as that, actually.

If, however, you look at
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q086630_.htm?lang=en
in the description of the TYPE, you get at least some idea of when
different rules are applied.

So BLOCKADDR says that it's applied to the incoming connection at the
listener, *before* the channel name is known. So you can block all
connections of any type from a certain range of IP addresses. Any
connections that pass that rule then have the other rules applied to them,
which can include usermaps and blockusrs and etc.


Thank you,

Jeff Lowrey




From: "Costa, D. (Damian)" <DamianC-3zJjxGF14/***@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Date: 09/29/2014 09:34 AM
Subject: [MQSERIES] can one block IP 's and use usermaps on the
same inbound connection using channel auth rules?
Sent by: MQSeries List <MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>



HI all,
So I was wondering if, using a set of chl auth rules, I can block ranges
on IP connecting and map the user to a valid users on an inbound
connection at the same time?
Ie check that the connection is coming from a particular IP range and
validate the inbound client user ID as well?
thanks

********************
Nedbank Limited Reg No 1951/000009/06. The following link displays
the names of the Nedbank Board of Directors and Company Secretary.
[ http://www.nedbank.co.za/terms/DirectorsNedbank.htm ]
This email is confidential and is intended for the addressee only.
The following link will take you to Nedbank's legal notice.
[ http://www.nedbank.co.za/terms/EmailDisclaimer.htm ]
********************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html



To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Andrew Hunt
2014-10-01 10:39:46 UTC
Permalink
Damian,

You will need to do it as separate set commands, one as a blocker and another as a map. I find it easy to think of chlauth only have 2 basic function, blocking and mapping. Read the following excellent techdoc and it will become clearer;

http://www-01.ibm.com/support/docview.wss?uid=swg27041997

hunty

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

Loading...