Blocking specific IP addresses
We can prevent a specific channel accepting an inbound connection from an IP address, or prevent the whole queue manager from allowing access from an IP address, by using a channel authentication record.
Before you begin
Enable channel authentication records by running the following command:ALTER QMGR CHLAUTH(ENABLED)
To disallow specific channels from accepting an inbound connection and ensure that connections are only accepted when using the correct channel name, one type of rule can be used to block IP addresses. To disallow an IP address access to the whole queue manager, you would normally use a firewall to permanently block it. However, another type of rule can be used to allow you to block a few addresses temporarily, for example while you are waiting for the firewall to be updated.
Procedure
To block IP addresses from using a specific channel, set a channel authentication record by using the MQSC command SET CHLAUTH, or the PCF command Set Channel Authentication Record.SET CHLAUTH(generic-channel-name) TYPE(ADDRESSMAP) ADDRESS(generic-ip-address) USERSRC(NOACCESS)There are three parts to the command:
- SET CHLAUTH (generic-channel-name)
- We use this part of the command to control whether you want to block a connection for the entire queue manager, single channel or range of channels. What you put in here determines which areas are covered.
- Type of CHLAUTH rule
- Use this part of the command to specify the type of command and determines whether you want to supply a single address or list of addresses.
- Additional parameters
- These parameters are dependent upon the type of rule we used in the second part of the command:
- For TYPE(ADDRESSMAP) we use ADDRESS
- For TYPE(BLOCKADDR) we use ADDRLIST