Making Channel Authorization changes with Infrared360

Channel Authentication (MQSC Commands)

 

To allow channel authentication records to control inbound channel connections, you must ensure Channel Authentications are enabled at the Queue Manager Level.  That can be accomplished by the following MQSC Command: “ALTER QMGR CHLAUTH(ENABLED)“.

 

Channel Authentication records are created accomplish the following:

  • Block access from a specific DNS/IP Addresses
  • Block access from a specific remote Queue Manager
  • Block access from a specific final assigned User ID
  • Block access from a specific client Application User ID
  • Block access from a specific SSL/TLS Distinguished Name
  • Allow access from a specific DNS/IP Addresses
  • Allow access from a specific remote Queue manager
  • Allow access from a specific client Application User ID
  • Allow access from a specific SSL/TLS Distinguished Name

 

Command example to block access from a specific DNS/IP address:

set chlauth(‘<specific or generic chl name>’) type(addressmap) address(<specific or generic ip address>) usersrc(noaccess)

Command example to block access from a specific remote Queue Manager:

set chlauth(‘<specific or generic chl name>’) type(qmgrmap) qmname(‘<specific or generic qmgr name>’) usersrc(noaccess)

Command example to block access from a final or Application assigned User ID:

set chlauth(‘<specific or generic chl name>’) type(blockuser) userlist(userID1, userID2)

Command example to block access from a specific SSL/TLS Distinguished Name:

set chlauth(‘<specific or generic chl name>’) type(sslpeermap) sslpeer(‘<specific or generic ssl peer name>’) usersrc(noaccess)

 

 

Command example to allow access from a specific DNS/IP Address:

set chlauth(‘<specific or generic chl name>’) type(addressmap) address(<specific or generic ip address>) usersrc(channel)

Command example to allow access from a specific remote Queue Manager:

set chlauth(‘<specific or generic chl name>’) type(qmgrmap) qmname(‘<specific or generic qmgr name>’) usersrc(channel)

Command example to allow access from a specific Application User ID:

set chlauth(‘<specific or generic chl name>’) type(usermap) userlist(userID1, userID2) usersrc(channel)

Command example to allow access from a specific SSL/TLS Distinguished Name:

set chlauth(‘<specific or generic chl name>’) type(sslpeermap) sslpeer(‘<specific or generic ssl peer name>’) usersrc(channel)

 

Types of Channel authentications:

  SET CHLAUTH( channel_profile )

    TYPE( BLOCKUSER | BLOCKADDR | SSLPEERMAP |

          ADDRESSMAP | USERMAP | QMGRMAP )

 

BLOCKUSER:

  SET CHLAUTH( channel_profile )

    TYPE( BLOCKUSER )

    USERLIST( string )

  [ DESCR( string ) ]

  [ CUSTOM( string ) ]

  [ WARN( NO | YES ) ]

  [ ACTION( ADD | REPLACE | REMOVE | REMOVEALL ) ]

 

BLOCKADDR:

SET CHLAUTH( channel_profile )

    TYPE( BLOCKADDR )

    ADDRLIST( string )

  [ DESCR( string ) ]

  [ CUSTOM( string ) ]

  [ WARN( NO | YES ) ]

  [ ACTION( ADD | REPLACE | REMOVE | REMOVEALL ) ]

 

 

SSLPEERMAP:

SET CHLAUTH( channel_profile )

    TYPE( SSLPEERMAP )

    SSLPEER( string )

  [ DESCR( string ) ]

  [ CHCKCLNT( ASQMGR | REQDADM | REQUIRED ) ]

  [ CUSTOM( string ) ]

  [ USERSRC( CHANNEL | MAP | NOACCESS ) ]

  [ MCAUSER( string ) ]                   [ SSLCERTI( string ) ]

  [ WARN( NO | YES ) ]                    [ ADDRESS( string ) ]

  [ ACTION( ADD | REPLACE | REMOVE | REMOVEALL )

 

ADDRESSMAP:

SET CHLAUTH( channel_profile )

    TYPE( ADDRESSMAP )

    ADDRESS( string )

  [ DESCR( string ) ]

  [ CHCKCLNT( ASQMGR | REQDADM | REQUIRED ) ]

  [ CUSTOM( string ) ]

  [ USERSRC( CHANNEL | MAP | NOACCESS ) ]

  [ MCAUSER( string ) ]                   [ WARN( NO | YES ) ]

  [ ACTION( ADD | REPLACE | REMOVE | REMOVEALL ) ]

 

USERMAP:

SET CHLAUTH( channel_profile )

    TYPE( USERMAP )

    CLNTUSER( string )

  [ DESCR( string ) ]

  [ CHCKCLNT( ASQMGR | REQDADM | REQUIRED ) ]

  [ CUSTOM( string ) ]

  [ USERSRC( CHANNEL | MAP | NOACCESS ) ]

  [ MCAUSER( string ) ]                   [ WARN( NO | YES ) ]

  [ ADDRESS( string ) ]

  [ ACTION( ADD | REPLACE | REMOVE | REMOVEALL ) ]

 

QMGRMAP:

SET CHLAUTH( channel_profile )

    TYPE( QMGRMAP )

    QMNAME( string )

  [ DESCR( string ) ]                     [ CUSTOM( string ) ]

  [ USERSRC( CHANNEL | MAP | NOACCESS ) ]

  [ MCAUSER( string ) ]                   [ WARN( NO | YES ) ]

  [ ADDRESS( string ) ]

  [ ACTION( ADD | REPLACE | REMOVE | REMOVEALL ) ]

 

 

Explanations and examples of different channel authentication records uses and configurations can be found at the following IBM MQ links:

 

https://www.ibm.com/docs/en/ibm-mq/9.2?topic=mechanisms-channel-authentication-records

https://www.mqtechconference.com/sessions_v2014/CHLAUTH_in_V8.pdf

 

*** Note:  In the examples, if you do a copy/paste, you may need to change the singe quote “ ‘ “ in word to the correct single quote in the system editor.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Object types in Infrared360 database

Below are the constants for object types in the Infrared360 database QUEUE = 2 CHANNEL = 3...

Alert not firing for Message Age

https://www.ibm.com/docs/en/itcam-app-mgr/7.2.0?topic=tpwmma-oldest-msg-age-short-term-queue-time...

Clearing log files: using File service

Clear Log Functionality – using the File Service Common issues when using web applications such...

Emulation mode

This should be in the inline doc --- search for 'emulation' (no quotes) but basically it's a ROLE...

To SEE or SEND a notification of an Alert

For an ALERT to be SEEN in the ALERT CONSOLE a notification action (Console, Email, SNMP, etc.)...