Securing remote connectivity to the queue manager
We can secure remote connectivity to the queue manager using TLS, a security exit, channel authentication records, or a combination of these methods.
You connect a client to the queue manager by using a client-connection channel on the client workstation and a server-connection channel on the server. Secure such connections in one of the following ways.
Procedure
-
Using TLS with channel authentication records:
- Prevent any Distinguished Name (DN) from opening a channel, by using an SSLPEERMAP channel authentication record to map all DNs to USERSRC(NOACCESS).
- Allow specific DNs or sets of DNs to open a channel by using an SSLPEERMAP channel authentication record to map them to USERSRC(CHANNEL).
-
Using TLS with a security exit:
- Set MCAUSER on the server-connection channel to a user identifier with no privileges.
- Write a security exit to assign an MCAUSER value depending on the value of TLS DN it receives in the SSLPeerNamePtr and SSLPeerNameLength fields passed to the exit in the MQCD structure.
-
Using TLS with fixed channel definition values:
- Set SSLPEER on the server-connection channel to a specific value or narrow range of values.
- Set MCAUSER on the server-connection channel to the user ID the channel should run with.
-
Using channel authentication records on channels that do not use TLS:
- Prevent any IP address from opening channels, by using an address-mapping channel authentication record with ADDRESS(*) and USERSRC(NOACCESS).
- Allow specific IP addresses to open channels, by using address-mapping channel authentication records for those addresses with USERSRC(CHANNEL).
-
Using a security exit:
- Write a security exit to authorize connections based on any property you choose, for example, the originating IP address.
- It is also possible to use channel authentication records with a security exit, or to use all three methods, if your particular circumstances require it.
- Blocking specific user IDs
We can prevent specific users from using a channel by specifying user IDs that, if asserted, cause the channel to end. Do this by setting a channel authentication record. - Mapping a remote queue manager to an MCAUSER user ID
We can use a channel authentication record to set the MCAUSER attribute of a channel, according to the queue manager from which the channel is connecting. - Mapping a client user ID to an MCAUSER user ID
We can use a channel authentication record to change the MCAUSER attribute of a server-connection channel, according to the user ID received from a client. - Mapping an SSL or TLS Distinguished Name to an MCAUSER user ID
We can use a channel authentication record to set the MCAUSER attribute of a channel, according to the Distinguished Name (DN) received. - Blocking access from a remote queue manager
We can use a channel authentication record to prevent a remote queue manager from starting channels. - Blocking access for a client user ID
We can use a channel authentication record to prevent a client user ID from establishing a channel connection. - Blocking access for an SSL or TLS Distinguished Name
We can use a channel authentication record to prevent a TLS Distinguished Name (DN) from starting channels. - Mapping an IP address to an MCAUSER user ID
We can use a channel authentication record to set the MCAUSER attribute of a channel, according to the IP address from which the connection is received.
Parent topic: Granting required access to resources