Before you can run the sample applications, you must first create a queue manager. You
can then configure the queue manager to securely accept incoming connection requests from
applications that are running in client mode.
Before you begin
Ensure the queue manager already exists and has been started. Determine whether channel
authentication records are already enabled by issuing the MQSC command:
DISPLAY QMGR CHLAUTH
Important: This task expects that channel authentication records are enabled. If this is
a queue manager used by other users and applications, changing this setting will affect all other
users and applications. If your queue manager does not make use of channel authentication records
then step
4 can be replaced with an alternate
authentication method (for example, a security exit) which sets the MCAUSER to the
non-privileged-user-id you will obtain in step
1.
You must know which channel name your application expects to use so that
the application can be permitted to use the channel. You must also know which objects, for example
queues or topics, your application expects to use so that your application can be permitted to use
them.
About this task
This task creates a non-privileged user ID to be used for a client application which
connects to the queue manager. Access is granted for the client application only to be able to use
the channel it needs and the queue it needs by use of this user ID.
Procedure
-
Obtain a user ID on the system your queue manager is running on. For this task this user ID
must not be a privileged administrative user. This user ID will be the authority under which the
client connection will run on the queue manager.
-
Start a listener program with the following commands where:
-
qmgr-name is the name of your queue manager
-
nnnn is your chosen port number
-
For UNIX and Windows systems:
runmqlsr -t tcp -m qmgr-name -p nnnn
-
For IBM® i:
STRMQMLSR MQMNAME(qmgr-name) PORT(nnnn)
-
If your application uses the SYSTEM.DEF.SVRCONN then this channel is already defined. If your
application uses another channel, create it by issuing the MQSC command:
DEFINE CHANNEL(' channel-name ') CHLTYPE(SVRCONN) TRPTYPE(TCP) +
DESCR('Channel for use by sample programs')
-
channel-name is the name of your channel.
-
Create a channel authentication rule allowing only the IP address of your client system to use
the channel by issuing the MQSC command:
SET CHLAUTH(' channel-name ') TYPE(ADDRESSMAP) ADDRESS(' client-machine-IP-address ') +
MCAUSER(' non-privileged-user-id ')
-
channel-name is the name of your channel.
-
client-machine-IP-address is the IP address of your client system.
- If your sample client application is running on the same machine as the queue manager then use
an IP address of '127.0.0.1' if your application is going to connect using 'localhost'. If several
different client machines are going to connect in, you can use a pattern or a range instead of a
single IP address. See Generic IP
addresses for details.
-
non-privileged-user-id is the user ID you obtained in step 1
-
If your application uses the SYSTEM.DEFAULT.LOCAL.QUEUE then this queue is already defined. If
your application uses another queue, create it by issuing the MQSC command:
DEFINE QLOCAL(' queue-name ') DESCR('Queue for use by sample programs')
-
queue-name is the name of your queue.
-
Grant access to connect to and inquire the queue manager:
-
For
IBM i,
UNIX and Windows systems issue the MQSC commands:
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL(' non-privileged-user-id ') +
AUTHADD(CONNECT, INQ)
-
non-privileged-user-id is the user ID you obtained in step 1
-
If your application is a point-to-point application, that is it makes use of queues, grant
access to allow inquiring and the putting and getting messages using your queue by the user ID to be
used, by issuing the MQSC commands:
-
For
IBM i,
UNIX and Windows systems issue the MQSC commands:
SET AUTHREC PROFILE(' queue-name ') OBJTYPE(QUEUE) +
PRINCIPAL(' non-privileged-user-id ') AUTHADD(PUT, GET, INQ, BROWSE)
-
queue-name is the name of your queue.
-
non-privileged-user-id is the user ID you obtained in step 1
-
If your application is a publish/subscribe application, that is it makes use of topics, grant
access to allow publishing and subscribing using your topic by the user ID to be used, by issuing
the MQSC commands:
-
For
IBM i,
UNIX and Windows systems issue the MQSC commands:
SET AUTHREC PROFILE('SYSTEM.BASE.TOPIC') OBJTYPE(TOPIC) +
PRINCIPAL(' non-privileged-user-id ') AUTHADD(PUB, SUB)
-
non-privileged-user-id is the user ID you obtained in step 1
- This will give non-privileged-user-id access to any topic in the topic tree,
alternatively, you can define a topic object using DEFINE TOPIC and grant
accesses only to the part of the topic tree referenced by that topic object. See Controlling user access to topics for
details.
What to do next
Your client application can now connect to the queue manager and put or get messages using
the queue.