CHLAUTH - Secure MQ connections

My collection of CHLAUTH articles spread over the internet. Collected to help me doing my daily MQ administative job.

Before starting out with CHLAUTH please take not of:

IBM MQ Security – things to note

  • Don't leave channels wide-open. Any channel without an MCAUSER value allows user impersonation and administrative authority.
  • Ensure channels are effectively locked down with a low-privileged MCAUSER or strong control for admin users.
  • Deny-all policy by default would be best
  • - Then more specific rules to control access
  • IBM MQ AMS combines link- and message-level authentication 


CHLAUTH Made Simple

Common Scenarios and Examples and how to Verify them with RUNCHECK 

You find the article here:


Using CHLAUTH to lock down Administrative access with MQ Explorer

An IBM WSTE recorded webcast that provides an overview of CHLAUTH rules and configuration. It discusses how to use CHLAUTH records to lock down your WMQ queue managerfor Administration with WMQ Explorer as well as configuring SSL and using SSLPEERMAP records to further lock down access to your queue manager 

You find the article here:


CHLAUTH - the back-stop rule

A great article about essential CHLAUTH adding the back-stop rule to block un-handled connections.

You find the article here:


CHLAUTH - Allow some privileged admins

How to troubleshoot CHLAUTH problems that block you access.

You find it here:


I'm being blocked by CHLAUTH - how can I work out why?

You find it here:


WMQ 7.1 / 7.5 / 8.0 queue manager RC 2035 MQRC_NOT_AUTHORIZED or AMQ4036 or JMSWMQ2013 when using client connection as an MQ Administrator

You create a new queue manager in WebSphere MQ 7.1 or 7.5 or 8.0 or later and you try to use a user id that is an MQ Administrator to remotely access the queue manager via a client connection. You get an error with reason code 2035 and the MQ Administrator can remotely access without problems other MQ queue managers at version 6 or 7.0.x.

You find it here:


How to remove a channel authentication record (CHLAUTH)

This is not recommendable, this will lower your level of security.

You find it here:


Securing MQ - Redbook, Chapter 9: WMQ Administration

Our famous IBM Redbook about how to setup a secure IBM MQ environment, and keep it secure.

You find it here:


Comparing BlockIP2 with Channel Authentication Records for WebSphere MQ Security

A light comparision between using BlockIP2 and using CHLAUTH based on IBM MQ 7.1 capabilities.

You find it here:


Known limitations between BlockIP2 and CHLAUTH

The following areas are not covered by CHLAUTH:

  • CHLAUTH does not allow wildcards in the client id mapping. 
  • CHLAUTH does not allow remapping of a blank user id to something else, without define all specific IP-addresses.


Feel free to drop me a mail if you have some goodies to add here. This is a living list.

Login Form