Blocking specific IP addresses

We can prevent a specific channel accepting an inbound connection from an IP address, or prevent the whole queue manager from allowing access from an IP address, by using a channel authentication record.


Before starting

Enable channel authentication records by running the following command:
ALTER QMGR CHLAUTH(ENABLED)


To disallow specific channels from accepting an inbound connection and ensure that connections are only accepted when using the correct channel name, one type of rule can be used to block IP addresses. To disallow an IP address access to the whole queue manager, you would normally use a firewall to permanently block it. However, another type of rule can be used to allow you to block a few addresses temporarily, for example while we are waiting for the firewall to be updated.


Procedure

To block IP addresses from using a specific channel, set a channel authentication record by using the MQSC command SET CHLAUTH, or the PCF command Set Channel Authentication Record.
SET CHLAUTH(generic-channel-name) TYPE(ADDRESSMAP) ADDRESS(generic-ip-address) USERSRC(NOACCESS)
There are three parts to the command:

    SET CHLAUTH (generic-channel-name)
    You use this part of the command to control whether we want to block a connection for the entire queue manager, single channel or range of channels. What you put in here determines which areas are covered.
    For example:

    • SET CHLAUTH('*') - blocks every channel on a queue manager, that is, the entire queue manager
    • SET CHLAUTH('SYSTEM.*') - blocks every channel that begins with SYSTEM.
    • SET CHLAUTH('SYSTEM.DEF.SVRCONN') - blocks the channel SYSTEM.DEF.SVRCONN

    Type of CHLAUTH rule
    Use this part of the command to specify the type of command and determines whether we want to supply a single address or list of addresses.
    For example:

    • TYPE(ADDRESSMAP) - Use ADDRESSMAP if we want to supply a single address or wildcard address. For example, ADDRESS('192.168.*') blocks any connections coming from an IP address starting in 192.168.

      For more information about filtering IP addresses with patterns, see Generic IP addresses.

    • TYPE(BLOCKADDR) - Use BLOCKADDR if we want to supply a list of address to block.

    Additional parameters
    These parameters are dependent upon the type of rule we used in the second part of the command:

    • For TYPE(ADDRESSMAP) we use ADDRESS
    • For TYPE(BLOCKADDR) we use ADDRLIST

Parent topic: Granting required access to resources


Related information