Configure a queue manager to accept client connections on Windows, UNIX and IBM i

Before we can run the sample applications, we must first create a queue manager. You can then configure the queue manager to securely accept incoming connection requests from applications that are running in client mode.


Before starting

Ensure the queue manager already exists and has been started. Determine whether channel authentication records are already enabled by issuing the MQSC command: 
DISPLAY QMGR CHLAUTH
Important: This task expects that channel authentication records are enabled. If this is a queue manager used by other users and applications, changing this setting will affect all other users and applications. If your queue manager does not make use of channel authentication records then step 4 can be replaced with an alternate authentication method (for example, a security exit) which sets the MCAUSER to the non-privileged-user-id we will obtain in step 1.

We must know which channel name the application expects to use so that the application can be permitted to use the channel. We must also know which objects, for example queues or topics, the application expects to use so that the application can be permitted to use them.


This task creates a non-privileged user ID to be used for a client application which connects to the queue manager. Access is granted for the client application only to be able to use the channel it needs and the queue it needs by use of this user ID.


Procedure

  1. Obtain a user ID on the system your queue manager is running on. For this task this user ID must not be a privileged administrative user. This user ID will be the authority under which the client connection will run on the queue manager.
  2. Start a listener program with the following commands where:

    • qmgr-name is the name of our queue manager
    • nnnn is your chosen port number

    1. For UNIX and Windows systems: 
      runmqlsr -t tcp -m qmgr-name -p nnnn
    2. For IBM i: 
      STRMQMLSR MQMNAME(qmgr-name) PORT(nnnn)

  3. If the application uses the SYSTEM.DEF.SVRCONN then this channel is already defined. If your application uses another channel, create it by issuing the MQSC command: 
    DEFINE CHANNEL(' channel-name ') CHLTYPE(SVRCONN) TRPTYPE(TCP) +
DESCR('Channel for use by sample programs')

    • channel-name is the name of our channel.

  4. Create a channel authentication rule allowing only the IP address of our client system to use the channel by issuing the MQSC command: 
    SET CHLAUTH(' channel-name ') TYPE(ADDRESSMAP) ADDRESS(' client-machine-IP-address ') +
MCAUSER(' non-privileged-user-id ')

    • channel-name is the name of our channel.
    • client-machine-IP-address is the IP address of our client system.
    • If your sample client application is running on the same machine as the queue manager then use an IP address of '127.0.0.1' if the application is going to connect using 'localhost'. If several different client machines are going to connect in, we can use a pattern or a range instead of a single IP address. See Generic IP addresses for details.
    • non-privileged-user-id is the user ID you obtained in step 1

  5. If the application uses the SYSTEM.DEFAULT.LOCAL.QUEUE then this queue is already defined. If the application uses another queue, create it by issuing the MQSC command: 
    DEFINE QLOCAL(' queue-name ') DESCR('Queue for use by sample programs')

    • queue-name is the name of our queue.

  6. Grant access to connect to and inquire the queue manager:
    1. For IBM i, UNIX and Windows systems issue the MQSC commands: 
      SET AUTHREC OBJTYPE(QMGR) PRINCIPAL(' non-privileged-user-id ') +
AUTHADD(CONNECT, INQ)

      • non-privileged-user-id is the user ID you obtained in step 1

  7. If the application is a point-to-point application, that is it makes use of queues, grant access to allow inquiring and the putting and getting messages using your queue by the user ID to be used, by issuing the MQSC commands:
    1. For IBM i, UNIX and Windows systems issue the MQSC commands: 
      SET AUTHREC PROFILE(' queue-name ') OBJTYPE(QUEUE) +
PRINCIPAL(' non-privileged-user-id ') AUTHADD(PUT, GET, INQ, BROWSE)

      • queue-name is the name of our queue.
      • non-privileged-user-id is the user ID you obtained in step 1

  8. If the application is a publish/subscribe application, that is it makes use of topics, grant access to allow publishing and subscribing using your topic by the user ID to be used, by issuing the MQSC commands:
    1. For IBM i, UNIX and Windows systems issue the MQSC commands: 
      SET AUTHREC PROFILE('SYSTEM.BASE.TOPIC') OBJTYPE(TOPIC) +
PRINCIPAL(' non-privileged-user-id ') AUTHADD(PUB, SUB)

      • non-privileged-user-id is the user ID you obtained in step 1
      • This will give non-privileged-user-id access to any topic in the topic tree, alternatively, we can define a topic object using DEFINE TOPIC and grant accesses only to the part of the topic tree referenced by that topic object. See Control user access to topics for details.


What to do next

Your client application can now connect to the queue manager and put or get messages using the queue. Parent topic: Preparing and running the sample programs


Related information