Create new CHLAUTH rules for users

Some common scenarios for users, and example CHLAUTH rules to accomplish these.

This topic contains the following scenarios:


Control access for specific MQ-admin users

For this scenario, setup a server connection channel that is to be exclusively used for an administrative perspective, that is, to connect from IBM MQ Explorer. We have a specific channel for this usage, and defined IP address, or addresses, from where we want connections to be accepted, and access blocked for the 'mqm' ID, if the connection is not from one of the specified IP addresses.

Make a SVRCONN channel for IBM MQ Explorer and MQ-admin users called ADMIN.CHAN:
runmqsc: DEFINE CHANNEL (ADMIN.CHAN) CHLTYPE (SVRCONN) TRPTYPE (TCP)
For testing, ensure that we have a user defined that is in the MQ-admin group, and one that is not. For this scenario, mqadm is in the MQ-admin group, and alice is not. The default CHLAUTH rules are in place. Add three rules to allow a specific user to access ADMIN.CHAN as MQ-admin from certain IP addresses:

  • Set NOACCESS from any address
  • Set BLOCKUSER for this channel to only block user nobody, which overrides the *MQADMIN BLOCKUSER
  • ALLOW access to user mqadm on a specific subnet of addresses, and MAP to mqadm user authority 

runmqsc:
SET CHLAUTH (ADMIN.CHAN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
SET CHLAUTH('ADMIN.CHAN') TYPE(BLOCKUSER) +
DESCR('Rule to override *MQADMIN blockuser on this channel') +
USERLIST('nobody') ACTION(replace)
SET CHLAUTH('ADMIN.CHAN') TYPE(USERMAP) +
CLNTUSER('mqadm') USERSRC(MAP) MCAUSER('mqadm') +
ADDRESS('192.168.1.*') +
DESCR('Allow mqadm as mqadm on local subnet') ACTION(ADD)
At this point, the user mqadm can access and start the ADMIN.CHAN channel, from the specified IP address range. We can run MATCH (RUNCHECK) at any time to see the results of each of these commands:
runmqsc:
DISPLAY CHLAUTH (ADMIN.CHAN) MATCH (RUNCHECK) CLNTUSER ('mqadm') ADDRESS
('192.168.1.138')
AMQ8878: Display channel authentication record details.
CHLAUTH(ADMIN.CHAN) TYPE(USERMAP)
ADDRESS(192.168.1.*) CLNTUSER(mqadm)
MCAUSER(mqadm)

DISPLAY CHLAUTH (ADMIN.CHAN) MATCH (RUNCHECK) CLNTUSER ('alice') ADDRESS
('192.168.1.138')
AMQ8878: Display channel authentication record details.
CHLAUTH(ADMIN.CHAN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
At this point, only the users that have a CHLAUTH record are allowed to access using the ADMIN.CHAN.


Control access for a specific user and IBM MQ client application

For this scenario, the default CHLAUTH rules are adequate, assuming IBM MQ authority should be set for a specific user, to provide the correct IBM MQ authority (using setmqaut).

In this scenario, the authorities are set for a user mqapp1, who is not an MQ-admin user. Make a SVRCONN channel, APP1.CHAN, to be used by a particular application and a specific user.
runmqsc: DEFINE CHANNEL (APP1.CHAN) CHLTYPE (SVRCONN) TRPTYPE (TCP)

With the default CHLAUTH rules in place, user mqapp1 can start the APP1.CHAN channel.

The user Id coming from the IBM MQ client application is used for IBM MQ object authority checking. In this case, assuming the 'mqapp1' user is running the IBM MQ client app, this is used for IBM MQ object authority checking. Therefore, if mqapp1 has access to the IBM MQ objects the application needs, all is fine; if not you will get authority errors.

We can further increase security by creating specific CHLAUTH rules for the mqapp1 user Id but, under the default rules, no member of the MQ-admin group can access this channel.
runmqsc:
SET CHLAUTH (APP1.CHAN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
SET CHLAUTH('APP1.CHAN') TYPE(USERMAP) +
CLNTUSER('mqapp1') USERSRC(MAP) MCAUSER('mqapp1') +
DESCR('Allow mqapp1 as mqapp1 on local subnet') ACTION(ADD)


Control access for a specific user by using the certificate distinguished name (DN) of that user

For this scenario, the user must have a certificate that is flowed to the queue manager. The DN is then matched against the SSLPEER setting of the CHLAUTH rule, and the SSLPEER can use wildcard characters.

If matched, the user can also be mapped to a different MCAUSER for purposes of checking the IBM MQ object authorities. Mapping the MCAUSER can minimize the number of users that need to be managed in the IBM MQ object authority manager (OAM).

We have a TLS channel with certificates in use, and you require rules to:

  • Block all users for a particular channel
  • Allow only users with a particular SSLPEER who use the client of that user for IBM MQ OAM access. 

.
# block all users on any IP address.
SET CHLAUTH('SSL1.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*')
USERSRC(NOACCESS) DESCR(''block all'') WARN(NO) ACTION(ADD)
.
# override - no MQM admin rule (allow mqm group /mqm admin users to
connect.
SET CHLAUTH('SSL1.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody')
DESCR('override no mqm admin rule') WARN(NO) ACTION(ADD)
.
# allow particular SSLPEER, use client id coming in from channel
SET CHLAUTH('SSL1.SVRCONN') TYPE(SSLPEERMAP)
SSLPEER('CN=JOHNDOE,O=IBM,C=US') USERSRC(CHANNEL) ACTION(ADD)

The client user Id connecting on the channel is used for the IBM MQ OAM authority of IBM MQ objects; therefore the user Id must have appropriate IBM MQ authorities.

We can map to a different IBM MQ user Id if we want to, by using:
USERSRC(MAP) MCAUSER('mquser1')
instead of USERSRC(CHANNEL).


Mapping a particular user to the mqm user

This is an addition or modification to Control access for specific MQ-admin users.

Add the following CHLAUTH rule to map particular users to the mqm user, or an MQ-admin user Id, that has IBM MQ object authority setup in the IBM MQ OAM.
runmqsc:
SET CHLAUTH('ADMIN.CHAN') TYPE(USERMAP) +
CLNTUSER ('johndoe') USERSRC(MAP) MCAUSER ('mqm') +
ADDRESS('192.168.1-100.*') +
DESCR ('Allow johndoe as MQ-admin on local subnet') ACTION (ADD)

This allows and maps the johndoe user over to the mqm user for the particular channel ADMIN.CHAN.

Parent topic: Resolving CHLAUTH access issues


Related concepts


Related information