Blocking IP addresses with CHLAUTH - Which Type to Use?
Morag Hughson 110000EQPN Comments (2) Visits (15654)
WebSphere MQ V7.1 introduced a feature which allows you to block IP addresses from connecting to your queue manager - this feature is Channel Authentication Records, or CHLAUTH for short. In fact there are two ways that CHLAUTH allows you to block IP addresses. Today we will describe when to use each type.
Two ways to block
First let us show you two examples of how to block IP addresses using CHLAUTH.
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('184.108.40.206') USERSRC(NOACCESS)
SET CHLAUTH('*') TYPE(BLOCKADDR) ADDRLIST('220.127.116.11')
Both of these examples achieve the same end goal, however, each mechanism has a specific purpose.
This is the main way you should be setting up IP address rules with CHLAUTH. These rules are applied once data has been flowed so the channel name is available, although as the example above shows, you can still make rules to apply to all channels. This is the type you should use for the majority of your IP address blocking rules. When an inbound connection is blocked as a result of one of these rules, the error message that is written to your error log, and the event message that is written to the SYST
This type of CHLAUTH rule is applied to inbound connections before they send any data at all. Therefore, we do not know the channel name at this time. This is therefore used to block IP addresses that an banned across the board and are not allowed to connect in at all, over any channel. These blacklisted IP addresses are such that they should be caught by your IP firewall and never even make it as far as the MQ listener. However, it is common for updates to an IP firewall to take time to be put in place, and so using a TYPE(BLOCKADDR) CHLAUTH rule can bridge the gap from the time a rogue IP address is detected, to the time when the IP firewall is updated, at which point the TYPE(BLOCKADDR) rule can be removed again. So in short, this type of CHLAUTH rule is a temporary place that is under the control of the MQ administrator, to blacklist IP addresses until they are more permanently caught by the IP firewall. Keep an eye on your TYPE(BLOCKADDR) rule and ensure that there is always a plan for the IP addresses mentioned there - so that this list is not ever increasing in your MQ configuration.