Blocking access for an SSL or TLS Distinguished Name
You can use a channel authentication record to prevent a TLS Distinguished Name (DN) from starting channels.
Before you begin
ALTER QMGR CHLAUTH(ENABLED)
Procedure
Set a channel authentication record using the MQSC command SET CHLAUTH, or the PCF command Set Channel Authentication Record. For example, you can issue the MQSC command:
SET CHLAUTH('generic-channel-name') TYPE(SSLPEERMAP)
SSLPEER('generic-ssl-peer-name') SSLCERTI(generic-issuer-name)
USERSRC(NOACCESS)
- generic-channel-name is either the name of a channel to which you want to control access, or a pattern including the asterisk (*) symbol as a wildcard that matches the channel name.
- generic-ssl-peer-name is a string following the standard IBM® MQ rules for SSLPEER values. See IBM MQ rules for SSLPEER values.
- generic-issuer-name refers to the Issuer DN of the certificate to match. This parameter is optional but you should use it, to avoid spuriously matching the wrong certificate, if multiple certificate authorities are in use.