Blocking access for an SSL Distinguished Name

You can use a channel authentication record to prevent an SSL Distinguished Name (DN) from starting channels.

Before you begin

Ensure that channel authentication records are enabled as follows:


ALTER QMGR CHLAUTH(ENABLED)

Procedure

Set a channel authentication record using the MQSC command SET CHLAUTH, or the PCF command Set Channel Authentication Record. For example, you can issue the MQSC command:


SET CHLAUTH('generic-channel-name') TYPE(SSLPEERMAP)
SSLPEER('generic-ssl-peer-name') SSLCERTI(generic-issuer-name)
USERSRC(NOACCESS)

generic-channel-name is either the name of a channel to which you want to control access, or a pattern including the asterisk (*) symbol as a wildcard that matches the channel name.
generic-ssl-peer-name is a string following the standard IBM® MQ rules for SSLPEER values. See IBM MQ rules for SSLPEER values.
generic-issuer-name refers to the Issuer DN of the certificate to match. This parameter is optional but you should use it, to avoid spuriously matching the wrong certificate, if multiple certificate authorities are in use.