Hi Erik, thanks, in fact it's a simple process to create access and rules.
MQ could have two users automatically created: mqm (for admin) as it does and - for example - mqmro (for read only) , or have a new client channel parameter making a SVRCONN readonly
DEFINE CHANNEL(DISPLAY_CHL) ... USAGE(READONLY)
Original Message:
Sent: Tue May 20, 2025 05:17 AM
From: Erik Houlberg
Subject: CHLAUTH rules
Hi Joao,
You are correct that opening for remote admin rights to a production environment is not a good thing.
What I have done is to provide certain capabilities to testers (using MQExplorer) in lower environments, like stopping and starting channels.
BTW mqm is the default MQ admin user on Linux.
If the MQ client itself does not provide a user (and password) then the local user running the MQ client is passed in the connection and that could be an LDAP user (authenticated on the e.g. Windows machine where MQ Explorer is running)
What I have done was to open up for anyone to display only MQ object information (not change and not browse messages) by using a local user on the Linux machine. That local user was granted access to display set of MQ object types.
I have provided a guide for that. The example statements provided may help you, although the example is not using specific IP.
------------------------------
Erik Houlberg
Original Message:
Sent: Tue May 20, 2025 03:15 AM
From: Joao Ramires
Subject: CHLAUTH rules
This doc has some scenarios explained:
ibm.com/support/pages/system/files/inline-files/Techdoc-7041997-4-CHLAUTH _0.pdf
what I want to do isto map an user, from a Wndows machine with MQExplorer on it, to a Linux user. With the correct rules it's possible to map a user coming from a defined ip address to a local user on the Linux machine, the user on e Linux machine must exist. If you to map an external user to, for example "mqm" user, you need to change the default qmgr AUTHINFO. In a test environment this is ok to do, but opens qmgr administration to remote users, maybe not to good idea in a production environment
Thanks
------------------------------
Joao Ramires
Original Message:
Sent: Mon May 19, 2025 02:52 AM
From: Emile Kearns
Subject: CHLAUTH rules
Hi All,
Interesting topic.
Now that Joao found that CHLAUTH is disabled, what are the tasks that needs to be performed after enabling CHLAUTH?
------------------------------
Emile Kearns
Original Message:
Sent: Thu May 15, 2025 05:16 AM
From: Joao Ramires
Subject: CHLAUTH rules
Hi Morag!
Hours and hours around this, reading, testing, define channel, define rule, delete all, repeat, delete, repeat and I have...
4 : DISPLAY QMGR CHLAUTH
AMQ8408I: Display Queue Manager details.
QMNAME(QMTEST) CHLAUTH(DISABLED)
:)
well... I guess I have to stop for today ..
Many thanks for pointing this
------------------------------
Joao Ramires
Original Message:
Sent: Thu May 15, 2025 05:06 AM
From: Morag Hughson
Subject: CHLAUTH rules
Hi Joao,
Have you ensured that CHLAUTH is turned on?
Issue:
DISPLAY QMGR CHLAUTH
and check that it is ENABLED. If it is DISABLED, then issue:-
ALTER QMGR CHLAUTH(ENABLED)
A good way to test what is going on with CHLAUTH rules is to use the MATCH(RUNCHECK) feature of DISPLAY CHLAUTH. For example, issue the following command:
DISPLAY CHLAUTH(MY.CHANNEL) ADDRESS('1.2.3.4') CLNTUSER(your-client-side-user-id) MATCH(RUNCHECK) ALL
The response to this command will be the CHLAUTH rule that an inbound connection with these values would match. If it's a record with USERSRC(NOACCESS) then it will be blocked. If it is another record, then you now know why it is being let in.
Also, if your CHLAUTH rules are currently disabled, this response will be accompanied by this message:-
AMQ8898W: Display channel authentication record details - currently disabled.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Thu May 15, 2025 04:55 AM
From: Joao Ramires
Subject: CHLAUTH rules
Hello all, the CHALAUTH rules is always a theme that confuses me...
Sometimes I don't understand more simple scenarios, I'm following the Techdoc-7041997.
I have a Linux queue manager (v9.3) with a SVRCONN channel with MCAUSER('mqm')
I Want to block access from all ip's
I have a rule like this, expecting to block all addresses, but it is not blocking.
CHLAUTH(MY.CHANNEL) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(NOACCESS) WARN(NO)
What I'm I missing?
Thanks!
------------------------------
Joao Ramires
------------------------------