Blocking specific IP addresses
We can prevent a specific channel accepting an inbound connection from an IP address, or prevent the whole queue manager from allowing access from an IP address, by using a channel authentication record.
Before starting
Enable channel authentication records by running the following command:ALTER QMGR CHLAUTH(ENABLED)
To disallow specific channels from accepting an inbound connection and ensure that connections are only accepted when using the correct channel name, one type of rule can be used to block IP addresses. To disallow an IP address access to the whole queue manager, you would normally use a firewall to permanently block it. However, another type of rule can be used to allow you to block a few addresses temporarily, for example while we are waiting for the firewall to be updated.
Procedure
To block IP addresses from using a specific channel, set a channel authentication record by using the MQSC command SET CHLAUTH, or the PCF command Set Channel Authentication Record.SET CHLAUTH(generic-channel-name) TYPE(ADDRESSMAP) ADDRESS(generic-ip-address) USERSRC(NOACCESS)There are three parts to the command:
- SET CHLAUTH (generic-channel-name)
- You use this part of the command to control whether we want to block a connection for the entire queue manager, single channel or range of channels. What you put in here determines which areas are covered.
- Type of CHLAUTH rule
- Use this part of the command to specify the type of command and determines whether we want to supply a single address or list of addresses.
- Additional parameters
- These parameters are dependent upon the type of rule we used in the second part of the command:
- For TYPE(ADDRESSMAP) we use ADDRESS
- For TYPE(BLOCKADDR) we use ADDRLIST
- Temporarily blocking specific IP addresses if the queue manager is not running
We might want to block particular IP addresses, or ranges of addresses, when the queue manager is not running and we cannot therefore issue MQSC commands. We can temporarily block IP addresses on an exceptional basis by modifying the blockaddr.ini file.
Parent topic: Granting required access to resources
Related information