Remote connection to v7.1 queue manager on IBMi fails with AMQ4036, Access not permitted

The default value for the new feature "Channel Authentication Records" (CHLAUTH) is ENABLED for all new queue managers created at WMQ v7.1. The following three channel authentication records are set for all new and upgraded queue managers at v7.1.

DISPLAY CHLAUTH(*)
1 : DISPLAY CHLAUTH(*)
> AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(CHANNEL)

This record permits any authorized user from any ip address to connect via the SYSTEM.ADMIN.SVRCONN channel. The flowed userid or MCAUSER id is used to connect.
If the user fails to connect with only this setting enabled, an AMQ4036 is logged on Windows and an AMQ8077, Entity '&3' has insufficient authority to access object '&4', is logged on IBMi.


> AMQ8878: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(NOACCESS)

This record blocks any ip address attempting to connect via any of the SYSTEM channels.
If the user fails to connect with only this setting enabled, an AMQ4036 is logged on Windows and an AMQ9777, Channel was blocked, is logged on IBMi.

> AMQ8878: Display channel authentication record details.
CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN)

This record blocks all administrative users including *ALLOBJ, QMQM, and QMQMADM attempting to connect via any channel. If the WMQ administrator fails to connect with only this setting enabled, an AMQ4036 is logged on Windows and an AMQ9776, Channel was blocked by userid, is logged on IBMi.

This new v7.1 feature provides a much more secure queue manager by default than in previous releases by requiring that administrative access be explicitly defined.

The new queue manager parameter, CHLAUTH, is NOT enabled, by default, on upgraded queue managers.

For a v7.1 queue manager, review the CHLAUTH parameter setting on the queue manager and display the channel authentication settings for the queue manager via RUNMQSC using DISPLAY CHLAUTH(*). Also review the error logs on IBMi and the remote system for authorization failure messages.

This assumes you are using the SYSTEM.ADMIN.SVRCONN(except where noted) to connect to the IBMi queue manager.

1)Use a non-administrative user profile to connect to the queue manager. The user profile must exist on IBMi and be granted the authorities found in DCF item 1299521.

2)Allow any administrative user to connect using a specific ipaddr
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE)
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) ACTION(REMOVE)
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(9.xx.xx.xx) USERSRC(CHANNEL)

3)Allow any administrative user to connect via a user defined channel
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE)
SET CHLAUTH(MY.ADMIN.SVRCONN) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(CHANNEL)

4)Allow any administrative user to connect to the queue manager.
SET CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP) ADDRESS(*) ACTION(REMOVE)
SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE)

5)Disable the channel authentication record feature
CHGMQM MQMNAME(<QMGR_NAME>) CHLAUTH(*DISABLED)

WARNING: Disabling this feature is not recommended for WMQ v7.1 production queue managers due to the security exposure.