CHLAUTH - Allow some privileged admins
Morag Hughson 110000EQPN Comments (2) Visits (24686)
WebSphere MQ V7.1 introduced a channel security feature called Channel Authentication Records, or CHLAUTH for short. The feature allows you to set rules to indicate what should happen to inbound connections to your queue manager. By default there are three rules in place and one of them is there to block all remote privileged users - that is those in the mqm group for example. To understand whether you are being blocked by this particular rule see "I'm being blocked by CHLAUTH - how can I work out why?"
AMQ8878: Display channel authentication record details. CHLAUTH(*) TYPE(BLOCKUSER) DESCR(Default rule to disallow privileged users) USERLIST(*MQADMIN)
If you wish to allow remote privileged users to connect to your queue manager over one specific channel, but retain the block that the default rule provides for all other channels, then this article will show you how to do that.
Allow privileged users on only one channel
In order to allow privileged users to connect over a specific channel you must add an additional rule which will over-ride the default one shown above. You might imagine that the following rule would do the job but unfortunately it does not.
This does not work as you might hope because an empty list does not over-ride the default list which contains the one special user '*MQADMIN'. Instead you need to provide a list of users that contains at least one member, and does not contain the special user '*MQADMIN'. This rule would look like this:-
The intention here is to provide a user name in the list that doesn't exist - if 'rubbish' is a real user ID it will be blocked.
In addition to allowing privileged users in over this channel you must have some form of authentication. You don't want just anyone to be able to connect in over this channel. Best practice is to follow the pattern described in "CHLAUTH - the back-stop rule". So one would expect to have an enabling rule to allow certain connections to be able to connect to the channel. You might have some rules in place like the examples below to do that.
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('The back-stop rule to block everyone')
So to summarize, if you want to allow remote administration by privileged users you can do that without opening all channels up to allow that. If you choose to do this you must ensure that their use of that channel is authenticated so that you are not opening up access to that channel by anyone.
Of course it is not necessary for remote administrators to be privileged as every operation that can be done remotely can be explicitly granted authorization. See "A non-privileged MQ administrator" for how to do that.