Configure your queue manager to securely accept incoming
connection requests from applications running in client mode.
Before you begin
Ensure the queue manager already exists and has been started.
Determine whether channel authentication records are already enabled
as follows: DISPLAY QMGR CHLAUTH
This task
expects that channel authentication records are enabled. If this is
a queue manager used by other users and applications, changing this
setting will affect all other users and applications. If your queue
manager does not make use of channel authentication records then step 4 can be replaced with
an alternate authentication method (for example a security exit) which
sets the MCAUSER to the non-privileged-user-id you
will obtain in step 1. You
must know which channel name your application expects to use so that
the application can be permitted to use the channel. You must also
know which objects, for example queues or topics, your application
expects to use so that your application can be permitted to use them.
About this task
This task creates a non-privileged user ID to be used for
a client application which connects to the queue manager. Access is
granted for the client application only to be able to use the channel
it needs and the queue it needs by use of this user ID.
Procedure
- Obtain a user ID on the system your queue
manager is running on. For this task this user ID must not be a privileged
administrative user. This user ID will be the authority under which
the client connection will run on the queue manager.
- Start a listener program with the following commands where:
- qmgr is the name of your queue manager
- nnnn is your chosen port number
- For UNIX and Windows systems:
runmqlsr -t tcp -m qmgr -p nnnn
- If your application uses the SYSTEM.DEF.SVRCONN then
this channel is already defined. If your application uses another
channel, create it by issuing the MQSC command:
DEFINE CHANNEL('channel-name') CHLTYPE(SVRCONN) TRPTYPE(TCP) +
DESCR('Channel for use by sample programs')
- channel-name is the name of your channel.
- Create a channel authentication rule allowing
only the IP address of your client system to use the channel by issuing
the MQSC command:
SET CHLAUTH('channel-name') TYPE(ADDRESSMAP) ADDRESS('client-machine-IP-address') +
MCAUSER('non-privileged-user-id')
- channel-name is the name of your channel.
- client-machine-IP-address is the IP address
of your client system.
- If your sample client application is running on the same machine
as the queue manager then use an IP address of '127.0.0.1'
if your application is going to connect using 'localhost'.
If several different client machines are going to connect in, you
can use a pattern or a range instead of a single IP address. See Generic IP addresses
for details.
- non-privileged-user-id is the user ID you
obtained in step 1
- If your application uses the SYSTEM.DEFAULT.LOCAL.QUEUE then
this queue is already defined. If your application uses another queue,
create it by issuing the MQSC command:
DEFINE QLOCAL('queue-name') DESCR('Queue for use by sample programs')
- queue-name is the name of your queue.
- Grant access to connect to and inquire the queue manager:
- For
UNIX andWindows systems
issue the MQSC commands:
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('non-privileged-user-id') +
AUTHADD(CONNECT, INQ)
- non-privileged-user-id is the user ID you
obtained in step 1
- If your application is a point-to-point application, that
is it makes use of queues, grant access to allow inquiring and the
putting and getting messages using your queue by the user ID to be
used, by issuing the MQSC commands:
- For
UNIX and Windows systems
issue the MQSC commands:
SET AUTHREC PROFILE('queue-name') OBJTYPE(QUEUE) +
PRINCIPAL('non-privileged-user-id') AUTHADD(PUT, GET, INQ, BROWSE)
- queue-name is the name of your queue.
- non-privileged-user-id is the user ID you
obtained in step 1
- If your application is a publish/subscribe application,
that is it makes use of topics, grant access to allow publishing and
subscribing using your topic by the user ID to be used, by issuing
the MQSC commands:
- For
UNIX and Windows systems
issue the MQSC commands:
SET AUTHREC PROFILE('SYSTEM.BASE.TOPIC') OBJTYPE(TOPIC) +
PRINCIPAL('non-privileged-user-id') AUTHADD(PUB, SUB)
- non-privileged-user-id is the user ID you
obtained in step 1
- This will give non-privileged-user-id access
to any topic in the topic tree, alternatively, you can define a topic
object using DEFINE TOPIC and grant accesses only
to the part of the topic tree referenced by that topic object. See Controlling user access to topics
for details.
What to do next
Your client application can now connect to the queue manager
and put or get messages using the queue.