Blocking specific IP addresses

You can prevent a specific channel accepting an inbound connection from an IP address, or prevent the whole queue manager from allowing access from an IP address, by using a channel authentication record.

Before you begin

Enable channel authentication records by running the following command: 

ALTER QMGR CHLAUTH(ENABLED)

About this task

To disallow specific channels from accepting an inbound connection and ensure that connections are only accepted when using the correct channel name, one type of rule can be used to block IP addresses. To disallow an IP address access to the whole queue manager, you would normally use a firewall to permanently block it. However, another type of rule can be used to allow you to block a few addresses temporarily, for example while you are waiting for the firewall to be updated.

Procedure

To block IP addresses from using a specific channel, set a channel authentication record by using the MQSC command SET CHLAUTH, or the PCF command Set Channel Authentication Record. 
SET CHLAUTH(generic-channel-name) TYPE(ADDRESSMAP) ADDRESS(generic-ip-address) USERSRC(NOACCESS)
There are three parts to the command:
SET CHLAUTH (generic-channel-name)
You use this part of the command to control whether you want to block a connection for the entire queue manager, single channel or range of channels. What you put in here determines which areas are covered.
For example:
  • SET CHLAUTH('*') - blocks every channel on a queue manager, that is, the entire queue manager
  • SET CHLAUTH('SYSTEM.*') - blocks every channel that begins with SYSTEM.
  • SET CHLAUTH('SYSTEM.DEF.SVRCONN') - blocks the channel SYSTEM.DEF.SVRCONN
Type of CHLAUTH rule
Use this part of the command to specify the type of command and determines whether you want to supply a single address or list of addresses.
For example:
  • TYPE(ADDRESSMAP) - Use ADDRESSMAP if you want to supply a single address or wildcard address. For example, ADDRESS('192.168.*') blocks any connections coming from an IP address starting in 192.168.

    For more information about filtering IP addresses with patterns, see Generic IP addresses.

  • TYPE(BLOCKADDR) - Use BLOCKADDR if you want to supply a list of address to block.
Additional parameters
These parameters are dependent upon the type of rule you used in the second part of the command:
  • For TYPE(ADDRESSMAP) you use ADDRESS
  • For TYPE(BLOCKADDR) you use ADDRLIST