Securing remote connectivity to the queue manager

We can secure remote connectivity to the queue manager using TLS, a security exit, channel authentication records, or a combination of these methods.

You connect a client to the queue manager by using a client-connection channel on the client workstation and a server-connection channel on the server. Secure such connections in one of the following ways.

Procedure

1. Using TLS with channel authentication records:
   1. Prevent any Distinguished Name (DN) from opening a channel, by using an SSLPEERMAP channel authentication record to map all DNs to USERSRC(NOACCESS).
   2. Allow specific DNs or sets of DNs to open a channel by using an SSLPEERMAP channel authentication record to map them to USERSRC(CHANNEL).

2. Using TLS with a security exit:
   1. Set MCAUSER on the server-connection channel to a user identifier with no privileges.
   2. Write a security exit to assign an MCAUSER value depending on the value of TLS DN it receives in the SSLPeerNamePtr and SSLPeerNameLength fields passed to the exit in the MQCD structure.

3. Using TLS with fixed channel definition values:
   1. Set SSLPEER on the server-connection channel to a specific value or narrow range of values.
   2. Set MCAUSER on the server-connection channel to the user ID the channel should run with.

4. Using channel authentication records on channels that do not use TLS:
   1. Prevent any IP address from opening channels, by using an address-mapping channel authentication record with ADDRESS(*) and USERSRC(NOACCESS).
   2. Allow specific IP addresses to open channels, by using address-mapping channel authentication records for those addresses with USERSRC(CHANNEL).

5. Using a security exit:
   1. Write a security exit to authorize connections based on any property you choose, for example, the originating IP address.

6. It is also possible to use channel authentication records with a security exit, or to use all three methods, if your particular circumstances require it.

• Blocking specific user IDs
  We can prevent specific users from using a channel by specifying user IDs that, if asserted, cause the channel to end. Do this by setting a channel authentication record.
• Mapping a remote queue manager to an MCAUSER user ID
  We can use a channel authentication record to set the MCAUSER attribute of a channel, according to the queue manager from which the channel is connecting.
• Mapping a client user ID to an MCAUSER user ID
  We can use a channel authentication record to change the MCAUSER attribute of a server-connection channel, according to the user ID received from a client.
• Mapping an SSL or TLS Distinguished Name to an MCAUSER user ID
  We can use a channel authentication record to set the MCAUSER attribute of a channel, according to the Distinguished Name (DN) received.
• Blocking access from a remote queue manager
  We can use a channel authentication record to prevent a remote queue manager from starting channels.
• Blocking access for a client user ID
  We can use a channel authentication record to prevent a client user ID from establishing a channel connection.
• Blocking access for an SSL or TLS Distinguished Name
  We can use a channel authentication record to prevent a TLS Distinguished Name (DN) from starting channels.
• Mapping an IP address to an MCAUSER user ID
  We can use a channel authentication record to set the MCAUSER attribute of a channel, according to the IP address from which the connection is received.

Parent topic: Granting required access to resources