+

Search Tips | Advanced Search

Connect to a queue manager in client mode with channel authentication

IBM WebSphere MQ Version 7.1 introduced channel authentication records to control more precisely access at a channel level. This change in behavior means that by default newly created IBM WebSphere MQ Version 7.1 or later queue managers reject client connections from the Managed File Transfer component.

For more information about channel authentication, see Channel authentication records.

If the channel authentication configuration for the SVRCONN used by Managed File Transfer specifies a non-privileged MCAUSER ID, we must grant specific authority records for the queue manager, queues, and topics, to allow the Managed File Transfer Agent and commands to work correctly. Use the MQSC command SET CHLAUTH or the PCF command Set Channel Authentication Record to create, modify, or remove channel authentication records. For all Managed File Transfer agents that we want to connect to the Version 7.1 or later queue manager, we can either set up an MCAUSER ID to use for all your agents, or set up a separate MCAUSER ID for each agent.

Grant each MCAUSER ID the following permissions:

  • Authority records required for the queue manager:

    • connect
    • setid
    • inq

  • Authority records required for queues.

    For all agent-specific queues, that is queue names that end in agent_name in the following list, create these queue authority records for each agent that we want to connect to the IBM WebSphere MQ Version 7.1 or later queue manager by using a client connection.

    • put, get, dsp (SYSTEM.DEFAULT.MODEL.QUEUE)
    • put, get, setid, browse (SYSTEM.FTE.COMMAND.agent_name)
    • put, get (SYSTEM.FTE.DATA.agent_name)
    • put, get (SYSTEM.FTE.REPLY.agent_name)
    • put, get, inq, browse (SYSTEM.FTE.STATE.agent_name)
    • put, get, browse (SYSTEM.FTE.EVENT.agent_name)
    • put, get (SYSTEM.FTE)

  • Authority records required for topics:

    • sub, pub (SYSTEM.FTE)

  • Authority records required for file transfers.

    If we have separate MCAUSER IDs for source and destination agent, create the authority records on agents' queues at both source and destination.

    For example, if the source agent's MCAUSER ID is user1 and the destination agent MCAUSER ID is user2, set the following authorities for the agent users:

    AGENT user Queue Authority required
    user1 SYSTEM.FTE.DATA.destination_agent_name put
    user1 SYSTEM.FTE.COMMAND.destination_agent_name put
    user2 SYSTEM.FTE.REPLY.source_agent_name put
    user2 SYSTEM.FTE.COMMAND.source_agent_name put

Parent topic: Securing Managed File Transfer

Last updated: 2020-10-04