Connecting to a queue manager in client mode with channel authentication
IBM® WebSphere® MQ 7.1 introduced channel authentication records to control more precisely access at a channel level. This change in behavior means that by default newly created IBM WebSphere MQ 7.1 or later queue managers reject client connections from the Managed File Transfer component.
For more information about channel authentication, see Channel authentication records.
If the channel authentication configuration for the SVRCONN used by Managed File Transfer specifies a non-privileged MCAUSER ID, you must grant specific authority records for the queue manager, queues, and topics, to allow the Managed File Transfer Agent and commands to work correctly. Use the MQSC command SET CHLAUTH or the PCF command Set Channel Authentication Record to create, modify, or remove channel authentication records. For all Managed File Transfer agents that you want to connect to the IBM WebSphere MQ 7.1 or later queue manager, you can either set up an MCAUSER ID to use for all your agents, or set up a separate MCAUSER ID for each agent.
Grant each MCAUSER ID the following permissions:
- Authority records required for the queue manager:
- connect
- setid
- inq
- Authority records required for queues.
For all agent-specific queues, that is queue names that end in agent_name in the following list, you must create these queue authority records for each agent that you want to connect to the IBM WebSphere MQ 7.1 or later queue manager by using a client connection.
- put, get, dsp (SYSTEM.DEFAULT.MODEL.QUEUE)
- put, get, setid, browse (SYSTEM.FTE.COMMAND.agent_name)
- put, get (SYSTEM.FTE.DATA.agent_name)
- put, get (SYSTEM.FTE.REPLY.agent_name)
- put, get, inq, browse (SYSTEM.FTE.STATE.agent_name)
- put, get, browse (SYSTEM.FTE.EVENT.agent_name)
- put, get (SYSTEM.FTE)
- Authority records required for topics:
- sub, pub (SYSTEM.FTE)
- Authority records required for file transfers.
If you have separate MCAUSER IDs for source and destination agent, create the authority records on agents' queues at both source and destination.
For example, if the source agent's MCAUSER ID is user1 and the destination agent MCAUSER ID is user2, set the following authorities for the agent users:AGENT user Queue Authority required user1 SYSTEM.FTE.DATA.destination_agent_name put user1 SYSTEM.FTE.COMMAND.destination_agent_name put user2 SYSTEM.FTE.REPLY.source_agent_name put user2 SYSTEM.FTE.COMMAND.source_agent_name put