Creating new CHLAUTH rules for channels
To help you create your own CHLAUTH rules, here are some common scenarios for channels, and example CHLAUTH rules to accomplish these.
Only allow access to a particular channel from a specific IP address range.
- Set No access to the channel from anywhere
- Allow access from a specific IP address or address range
runmqsc:
SET CHLAUTH('APP2.CHAN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
WARN(NO) ACTION(ADD)
SET CHLAUTH('APP2.CHAN') TYPE(ADDRESSMAP) ADDRESS('9.95.100.1-5')
USERSRC(MAP) MCAUSER('mqapp2') ACTION(ADD)
This allows only the APP2.CHAN channel to be started when the connection comes from the specific IP address range specified.
The user connecting as MCAUSER is mapped to mqapp2
, and therefore gets the
IBM® MQ OAM authority for that user.
For a specific channel, block all users, but allow specific users to connect.
- NO ACCESS to all channels by any
MQ-admin*
users - NO ACCESS to all SYSTEM.* channels by all users
- ALLOW access to SYSTEM.ADMIN.SVRCONN channel (non
MQ-admin
users)
For this scenario, the access to the channel MY.SVRCONN has the default CHLAUTH rules in place.
# block all users
SET CHLAUTH('MY.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
DESCR(''block all'') WARN(NO) ACTION(ADD)
# override - no MQM admin rule
SET CHLAUTH('MY.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('override
no mqm admin rule') WARN(NO) ACTION(ADD)
# allow johndoe userid
SET CHLAUTH('MY.SVRCONN') TYPE(USERMAP) CLNTUSER('johndoe')
USERSRC(CHANNEL) DESCR('allow johndoe userid') ACTION(ADD)
This first part of the code blocks anyone from connecting on MY.SVRCONN, then the code allows
only the MY.SVRCONN channel to be started when the connection comes from the specific user Id
johndoe
.
The user connecting on the channel johndoe
is used for the IBM MQ OAM authority of IBM MQ objects. Therefore, the user Id must have the
appropriate IBM MQ authorities.
USERSRC(MAP) MCAUSER('mquser1')
instead of USERSRC(CHANNEL)
. Using CHLAUTH for receiver and sender channels
You can use CHLAUTH rules to add extra security to receiver and sender channels, to restrict access to the receiver channel. Note, that if you are adding or making changes to CHLAUTH rules, the updated CHLAUTH rules only apply when starting the channel, so if the channels are already running, you need to stop and restart them, for the CHLAUTH updates to apply.
CHLAUTH rules can be used on any channel, but there are some restrictions. For example, USERMAP rules apply to SVRCONN channels only.
# First you could lock down the channel by disallowing all
# for channel 'TO.MYSVR1', RCVR channel
SET CHLAUTH('TO.MYSVR1') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
DESCR('Back-stop rule')
# Then you could allow this channel to be started
SET CHLAUTH('TO.MYSVR1') TYPE(ADDRESSMAP) ADDRESS('192.168.1.134') USERSRC(MAP)
MCAUSER('mqapp') ACTION(ADD)
# Lock down all access:
SET CHLAUTH('TO.MYSVR1') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
DESCR('Back-stop rule')
# Then allow access from queue manager MYSVR2 and from a particular ipaddress:
SET CHLAUTH('TO.MYSVR1') TYPE(QMGRMAP) QMNAME('MYSVR2') USERSRC(MAP)
MCAUSER('mqapp') ADDRESS('192.168.1.134') ACTION(ADD)