You can secure remote connectivity to the queue manager using SSL or TLS, a security exit, channel authentication records, or a combination of these methods.
About this task
You connect a client to the queue manager by using a client-connection channel on the client workstation and a server-connection channel on the server. Secure such connections in one of the following ways.
Procedure
-
Using SSL or TLS with channel authentication records:
-
Prevent any Distinguished Name (DN) from opening a channel, by using an SSLPEERMAP channel authentication record to map all DNs to USERSRC(NOACCESS).
-
Allow specific DNs or sets of DNs to open a channel by using an SSLPEERMAP channel authentication record to map them to USERSRC(CHANNEL).
-
Using SSL or TLS with a security exit:
-
Set MCAUSER on the server-connection channel to a user identifier with no privileges.
-
Write a security exit to assign an MCAUSER value depending on the value of SSL DN it receives in the SSLPeerNamePtr and SSLPeerNameLength fields passed to the exit in the MQCD structure.
-
Using SSL or TLS with fixed channel definition values:
-
Set SSLPEER on the server-connection channel to a specific value or narrow range of values.
-
Set MCAUSER on the server-connection channel to the user ID the channel should run with.
-
Using channel authentication records on channels that do not use SSL or TLS:
-
Prevent any IP address from opening channels, by using an address-mapping channel authentication record with ADDRESS(*) and USERSRC(NOACCESS).
-
Allow specific IP addresses to open channels, by using address-mapping channel authentication records for those addresses with USERSRC(CHANNEL).
-
Using a security exit:
-
Write a security exit to authorize connections based on any property you choose, for example, the originating IP address.
-
It is also possible to use channel authentication records with a security exit, or to use all three methods, if your particular circumstances require it.