My collection of CHLAUTH articles spread over the internet. Collected to help me doing my daily MQ administative job.
Before starting out with CHLAUTH please take not of:
IBM MQ Security – things to note
- Don't leave channels wide-open. Any channel without an MCAUSER value allows user impersonation and administrative authority.
- Ensure channels are effectively locked down with a low-privileged MCAUSER or strong control for admin users.
- Deny-all policy by default would be best
- - Then more specific rules to control access
- IBM MQ AMS combines link- and message-level authentication
CHLAUTH Made Simple
Common Scenarios and Examples and how to Verify them with RUNCHECK
You find the article here: http://www-01.ibm.com/support/docview.wss?uid=swg27041997&aid=1
Using CHLAUTH to lock down Administrative access with MQ Explorer
An IBM WSTE recorded webcast that provides an overview of CHLAUTH rules and configuration. It discusses how to use CHLAUTH records to lock down your WMQ queue managerfor Administration with WMQ Explorer as well as configuring SSL and using SSLPEERMAP records to further lock down access to your queue manager
You find the article here: http://www-01.ibm.com/support/docview.wss?uid=swg27039600
CHLAUTH - the back-stop rule
A great article about essential CHLAUTH adding the back-stop rule to block un-handled connections.
You find the article here: https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/websphere_mq_chlauth_the_back_stop_rule
CHLAUTH - Allow some privileged admins
How to troubleshoot CHLAUTH problems that block you access.
You find it here: https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/chlauth_allow_some_privileged_admins?lang=en
I'm being blocked by CHLAUTH - how can I work out why?
You find it here: https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/blocked_by_chlauth_why?lang=en
WMQ 7.1 / 7.5 / 8.0 queue manager RC 2035 MQRC_NOT_AUTHORIZED or AMQ4036 or JMSWMQ2013 when using client connection as an MQ Administrator
You create a new queue manager in WebSphere MQ 7.1 or 7.5 or 8.0 or later and you try to use a user id that is an MQ Administrator to remotely access the queue manager via a client connection. You get an error with reason code 2035 and the MQ Administrator can remotely access without problems other MQ queue managers at version 6 or 7.0.x.
You find it here: http://www-01.ibm.com/support/docview.wss?uid=swg21577137
How to remove a channel authentication record (CHLAUTH)
This is not recommendable, this will lower your level of security.
You find it here: http://www-01.ibm.com/support/docview.wss?uid=swg21577138
Securing MQ - Redbook, Chapter 9: WMQ Administration
Our famous IBM Redbook about how to setup a secure IBM MQ environment, and keep it secure.
You find it here: http://www.redbooks.ibm.com/abstracts/sg248069.html
Comparing BlockIP2 with Channel Authentication Records for WebSphere MQ Security
A light comparision between using BlockIP2 and using CHLAUTH based on IBM MQ 7.1 capabilities.
You find it here: http://www.ibm.com/developerworks/websphere/library/techarticles/1407_nalla/1407_nalla.html
Known limitations between BlockIP2 and CHLAUTH
The following areas are not covered by CHLAUTH:
- CHLAUTH does not allow wildcards in the client id mapping.
- CHLAUTH does not allow remapping of a blank user id to something else, without define all specific IP-addresses.
Feel free to drop me a mail if you have some goodies to add here. This is a living list.