Creating new CHLAUTH rules for channels

To help you create your own CHLAUTH rules, here are some common scenarios for channels, and example CHLAUTH rules to accomplish these.

This topic contains the following scenarios:

Only allow access to a particular channel from a specific IP address range.

For this scenario you want to:
  • Set No access to the channel from anywhere
  • Allow access from a specific IP address or address range

runmqsc:
SET CHLAUTH('APP2.CHAN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
WARN(NO) ACTION(ADD)
SET CHLAUTH('APP2.CHAN') TYPE(ADDRESSMAP) ADDRESS('9.95.100.1-5')
USERSRC(MAP) MCAUSER('mqapp2') ACTION(ADD)

This allows only the APP2.CHAN channel to be started when the connection comes from the specific IP address range specified.

The user connecting as MCAUSER is mapped to mqapp2, and therefore gets the IBM® MQ OAM authority for that user.

For a specific channel, block all users, but allow specific users to connect.

For this scenario, the access to the channel MY.SVRCONN has the default CHLAUTH rules in place.

You need to add the following:

# block all users
SET CHLAUTH('MY.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
DESCR(''block all'') WARN(NO) ACTION(ADD)

# override - no MQM admin rule
SET CHLAUTH('MY.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('override
no mqm admin rule') WARN(NO) ACTION(ADD)

# allow johndoe userid
SET CHLAUTH('MY.SVRCONN') TYPE(USERMAP) CLNTUSER('johndoe')
USERSRC(CHANNEL) DESCR('allow johndoe userid') ACTION(ADD)

This first part of the code blocks anyone from connecting on MY.SVRCONN, then the code allows only the MY.SVRCONN channel to be started when the connection comes from the specific user Id johndoe.

The user connecting on the channel johndoe is used for the IBM MQ OAM authority of IBM MQ objects. Therefore, the user Id must have the appropriate IBM MQ authorities.

You can map to a different IBM MQ user Id if you want to, by using:
USERSRC(MAP) MCAUSER('mquser1')
instead of USERSRC(CHANNEL).

Using CHLAUTH for receiver and sender channels

You can use CHLAUTH rules to add extra security to receiver and sender channels, to restrict access to the receiver channel. Note, that if you are adding or making changes to CHLAUTH rules, the updated CHLAUTH rules only apply when starting the channel, so if the channels are already running, you need to stop and restart them, for the CHLAUTH updates to apply.

CHLAUTH rules can be used on any channel, but there are some restrictions. For example, USERMAP rules apply to SVRCONN channels only.

This example allows a connection from a particular IP address only, to start the TO.MYSVR1 channel:

# First you could lock down the channel by disallowing all
# for channel 'TO.MYSVR1', RCVR channel
SET CHLAUTH('TO.MYSVR1') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
DESCR('Back-stop rule')

# Then you could allow this channel to be started
SET CHLAUTH('TO.MYSVR1') TYPE(ADDRESSMAP) ADDRESS('192.168.1.134') USERSRC(MAP)
MCAUSER('mqapp') ACTION(ADD)
This example allows the connection from a particular queue manager only:

# Lock down all access:
SET CHLAUTH('TO.MYSVR1') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
DESCR('Back-stop rule')

# Then allow access from queue manager MYSVR2 and from a particular ipaddress:
SET CHLAUTH('TO.MYSVR1') TYPE(QMGRMAP) QMNAME('MYSVR2') USERSRC(MAP)
MCAUSER('mqapp') ADDRESS('192.168.1.134') ACTION(ADD)