Securing remote connectivity to the queue manager

We can secure remote connectivity to the queue manager using TLS, a security exit, channel authentication records, or a combination of these methods.


You connect a client to the queue manager by using a client-connection channel on the client workstation and a server-connection channel on the server. Secure such connections in one of the following ways.


Procedure

  1. Using TLS with channel authentication records:
    1. Prevent any Distinguished Name (DN) from opening a channel, by using an SSLPEERMAP channel authentication record to map all DNs to USERSRC(NOACCESS).
    2. Allow specific DNs or sets of DNs to open a channel by using an SSLPEERMAP channel authentication record to map them to USERSRC(CHANNEL).

  2. Using TLS with a security exit:
    1. Set MCAUSER on the server-connection channel to a user identifier with no privileges.
    2. Write a security exit to assign an MCAUSER value depending on the value of TLS DN it receives in the SSLPeerNamePtr and SSLPeerNameLength fields passed to the exit in the MQCD structure.

  3. Using TLS with fixed channel definition values:
    1. Set SSLPEER on the server-connection channel to a specific value or narrow range of values.
    2. Set MCAUSER on the server-connection channel to the user ID the channel should run with.

  4. Using channel authentication records on channels that do not use TLS:
    1. Prevent any IP address from opening channels, by using an address-mapping channel authentication record with ADDRESS(*) and USERSRC(NOACCESS).
    2. Allow specific IP addresses to open channels, by using address-mapping channel authentication records for those addresses with USERSRC(CHANNEL).

  5. Using a security exit:
    1. Write a security exit to authorize connections based on any property you choose, for example, the originating IP address.

  6. It is also possible to use channel authentication records with a security exit, or to use all three methods, if your particular circumstances require it.

Parent topic: Granting required access to resources