- NONE - MQ will not engage with the authentication service and any attempts to supply credentials on connections will be ignored by the queue manager (although still passed to any security exits that you may have).
- OPTIONAL - MQ will only verify credentials if they are supplied. If no credentials are supplied then the connection will pass the credential verification stage.
- REQDADM - MQ mandates that anyone connecting who is a member of the mqm group must supply a valid user id and password, if the user connecting is not a member of the mqm group then OPTIONAL rules are applied.
- REQUIRED - MQ mandates that all connections must supply a valid user id and password.
> SET CHLAUTH('SYSTEM.*') TYPE(USERMAP) CLNTUSER('example') USERSRC (CHANNEL) CHKCLNT(REQUIRED) ACTION(ADD) > SET CHLAUTH('SYSTEM.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC (CHANNEL) CHKCLNT(REQDADM) ACTION(REPLACE)
- ASQMGR - Use the same level of security as the QMGR, which must be set to a minimum level of OPTIONAL.
- REQDADM - See above description
- REQUIRED - See above description
Example of how to set up CHLAUTH rules with CHCKCLNT
1) First I set my QMGR to use an AUTHINFO that has CHCKCLNT(OPTIONAL) set. (Note: I cannot set this to NONE and then raise the security using CHLAUTH as this will cause all connections to fail with 2063 as by setting a QMGR's CHCKLNT to NONE you are stating that we should not be doing any credential authentication at all. By setting a QMGR to NONE and then setting a CHLAUTH to REQUIRED or REQDADM you would be creating a conflict and therefore a configuration error within MQ.):
> ALTER AUTHINFO('SYSTEM.DEFAULT.AUTHINFO.IDPWOS') AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
2) I then refresh the connection authentication setting using:
> REFRESH SECURITY TYPE(CONNAUTH)
3) Next I create a simple SVRCONN CHANNEL called "CONNECT" which is where I want clients to connect:
> DEFINE CHANNEL('CONNECT') CHLTYPE(SVRCONN)
4) Because I only want connections to come through the CONNECT channel and because I only want connections from certain IP addresses to connect I will create the following CHLAUTH rule to block all connections. (Later we will create the rules to allow access):
> SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) ACTION(ADD)
5) Afterwards I create the following CHLAUTH rules to allow access to my trusted IP addresses:
> SET CHLAUTH('CONNECT') TYPE(ADDRESSMAP) ADDRESS('127.0.0.1') USERSRC(CHANNEL) CHCKCLNT(ASQMGR) ACTION(ADD) > SET CHLAUTH('CONNECT') TYPE(ADDRESSMAP) ADDRESS('192.168.0.7') USERSRC(CHANNEL) CHCKCLNT(ASQMGR) ACTION(ADD)
6) Finally I create my last CHLAUTH rule that will force my untrusted connection to supply credentials when connecting:
> SET CHLAUTH('CONNECT') TYPE(ADDRESSMAP) ADDRESS('192.168.1.567') USERSRC(CHANNEL) CHCKCLNT(REQUIRED) ACTION(ADD)