Blocking access for an SSL or TLS Distinguished Name
We can use a channel authentication record to prevent a TLS Distinguished Name (DN) from starting channels.
Before starting
Ensure that channel authentication records are enabled as follows:ALTER QMGR CHLAUTH(ENABLED)
Procedure
Set a channel authentication record using the MQSC command SET CHLAUTH, or the PCF command Set Channel Authentication Record. For example, we can issue the MQSC command:SET CHLAUTH('generic-channel-name') TYPE(SSLPEERMAP) SSLPEER('generic-ssl-peer-name') SSLCERTI(generic-issuer-name) USERSRC(NOACCESS)
- generic-channel-name is either the name of a channel to which we want to control access, or a pattern including the asterisk (*) symbol as a wildcard that matches the channel name.
- generic-ssl-peer-name is a string following the standard IBM MQ rules for SSLPEER values. See IBM MQ rules for SSLPEER values.
- generic-issuer-name refers to the Issuer DN of the certificate to match. This parameter is optional but we should use it, to avoid spuriously matching the wrong certificate, if multiple certificate authorities are in use.
Related information