Preparing and running the sample programs

Configure your queue manager to securely accept incoming connection requests from applications running in client mode.

Before you begin

Ensure the queue manager already exists and has been started. Determine whether channel authentication records are already enabled by issuing the MQSC command: 

DISPLAY QMGR CHLAUTH
This task expects that channel authentication records are enabled. If this is a queue manager used by other users and applications, changing this setting will affect all other users and applications. If your queue manager does not make use of channel authentication records then step 4 can be replaced with an alternate authentication method (for example a security exit) which sets the MCAUSER to the non-privileged-user-id you will obtain in step 1.

You must know which channel name your application expects to use so that the application can be permitted to use the channel. You must also know which objects, for example queues or topics, your application expects to use so that your application can be permitted to use them.

About this task

This task creates a non-privileged user ID to be used for a client application which connects to the queue manager. Access is granted for the client application only to be able to use the channel it needs and the queue it needs by use of this user ID.

Procedure

  1. Obtain a user ID on the system your queue manager is running on. For this task this user ID must not be a privileged administrative user. This user ID will be the authority under which the client connection will run on the queue manager.
  2. Start a listener program with the following commands where:
    • qmgr-name is the name of your queue manager
    • nnnn is your chosen port number
    1. For UNIX and Windows systems: 
      
runmqlsr -t tcp -m qmgr-name -p nnnn
    2. [IBMi] For IBM® i: 
      
STRMQMLSR MQMNAME(qmgr-name) PORT(nnnn)
    3. [z/OS] For z/OS® ensure your channel initiator is started. If not, start it by issuing the START CHINIT command. 
      
START LISTENER TRPTYPE(TCP) PORT(nnnn)
  3. If your application uses the SYSTEM.DEF.SVRCONN then this channel is already defined. If your application uses another channel, create it by issuing the MQSC command: 
    
DEFINE CHANNEL(' channel-name ') CHLTYPE(SVRCONN) TRPTYPE(TCP) +
DESCR('Channel for use by sample programs')
    • channel-name is the name of your channel.
  4. Create a channel authentication rule allowing only the IP address of your client system to use the channel by issuing the MQSC command: 
    
SET CHLAUTH(' channel-name ') TYPE(ADDRESSMAP) ADDRESS(' client-machine-IP-address ') +
MCAUSER(' non-privileged-user-id ')
    • channel-name is the name of your channel.
    • client-machine-IP-address is the IP address of your client system.
    • If your sample client application is running on the same machine as the queue manager then use an IP address of '127.0.0.1' if your application is going to connect using 'localhost'. If several different client machines are going to connect in, you can use a pattern or a range instead of a single IP address. See Generic IP addresses for details.
    • non-privileged-user-id is the user ID you obtained in step 1
  5. If your application uses the SYSTEM.DEFAULT.LOCAL.QUEUE then this queue is already defined. If your application uses another queue, create it by issuing the MQSC command: 
    
DEFINE QLOCAL(' queue-name ') DESCR('Queue for use by sample programs')
    • queue-name is the name of your queue.
  6. Grant access to connect to and inquire the queue manager:
    1. For [IBMi] IBM i, UNIX and Windows systems issue the MQSC commands: 
      
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL(' non-privileged-user-id ') +
AUTHADD(CONNECT, INQ)
      • non-privileged-user-id is the user ID you obtained in step 1
    2. [z/OS] For z/OS ensure that your channel initiator is started. If not, start the channel initiator by issuing the START CHINIT command. Start a TCP listener for example : 
      
START LISTENER TRPTYPE(TCP) PORT(nnnn)
  7. If your application is a point-to-point application, that is it makes use of queues, grant access to allow inquiring and the putting and getting messages using your queue by the user ID to be used, by issuing the MQSC commands:
    1. For [IBMi] IBM i, UNIX and Windows systems issue the MQSC commands: 
      
SET AUTHREC PROFILE(' queue-name ') OBJTYPE(QUEUE) +
PRINCIPAL(' non-privileged-user-id ') AUTHADD(PUT, GET, INQ, BROWSE)
      • queue-name is the name of your queue.
      • non-privileged-user-id is the user ID you obtained in step 1
    2. [z/OS] For z/OS issue the RACF® commands: 
      
RDEFINE MQQUEUE qmgr-name.QUEUE. queue-name UACC(NONE)

PERMIT qmgr-name.QUEUE. queue-name CLASS(MQQUEUE) ID(non-privileged-user-id) ACCESS(UPDATE)
      • qmgr-name is the name of your queue manager
      • queue-name is the name of your queue.
      • non-privileged-user-id is the user ID you obtained in step 1
  8. If your application is a publish/subscribe application, that is it makes use of topics, grant access to allow publishing and subscribing using your topic by the user ID to be used, by issuing the MQSC commands:
    1. For [IBMi] IBM i, UNIX and Windows systems issue the MQSC commands: 
      
SET AUTHREC PROFILE('SYSTEM.BASE.TOPIC') OBJTYPE(TOPIC) +
PRINCIPAL(' non-privileged-user-id ') AUTHADD(PUB, SUB)
      • non-privileged-user-id is the user ID you obtained in step 1
      • This will give non-privileged-user-id access to any topic in the topic tree, alternatively, you can define a topic object using DEFINE TOPIC and grant accesses only to the part of the topic tree referenced by that topic object. See Controlling user access to topics for details.
    2. [z/OS] For z/OS issue the RACF commands: 
      RDEFINE MQTOPIC qmgr-name.PUBLISH.SYSTEM.BASE.TOPIC UACC(NONE)

PERMIT qmgr-name.PUBLISH.SYSTEM.BASE.TOPIC CLASS(MQTOPIC) ID(non-privileged-user-id) ACCESS(UPDATE)

RDEFINE MQTOPIC qmgr-name.SUBSCRIBE.SYSTEM.BASE.TOPIC UACC(NONE)

PERMIT qmgr-name.SUBSCRIBE.SYSTEM.BASE.TOPIC CLASS(MQTOPIC) ID(non-privileged-user-id) ACCESS(UPDATE)
      • qmgr-name is the name of your queue manager
      • non-privileged-user-id is the user ID you obtained in step 1
      • This will give non-privileged-user-id access to any topic in the topic tree, alternatively, you can define a topic object using DEFINE TOPIC and grant accesses only to the part of the topic tree referenced by that topic object. See Controlling user access to topics for details.

What to do next

Your client application can now connect to the queue manager and put or get messages using the queue.