WAS MQ 7.0.x prevent mqm user to put message on queue

Question

I'm new in WAS MQ. I have a qmgr called QM1 and a local queue which called Q1. There is a SVRCONN channel with MCA set to mqm.

I want to prevent incoming message through this channel to PUT message to Q1. I'm using setmqaut but it's not working as I want.

Answer 1

The reason you haven't been able to prevent specific API calls over that channel is that the MCAUSER('mqm') setting ensures that anything connecting over that channel always connects with full administrative authority. There is no way to use setmqaut or any other native WMQ feature to prevent an administrator from accessing the queue. The QMgr always allows access by the admin, regardless of any setmqaut settings.

It is a bit unclear as to what to recommend because there's no such thing as "WAS MQ". There is WebSphere Application Server (WAS) and there's WebSphere MQ (WMQ). WAS used to come bundled with WMQ but the two are not a single product.

Assuming that you mean WebSphere MQ and not WebSphere App Server talking to WMQ, I'd strongly recommend moving to a modern version. End-of-Life has been announced for WMQ v7.0 and it lacks authentication features of versions v7.1 and higher. As of v8.0, WMQ can even authenticate a user ID and password.

In order to authenticate and apply granular authorization in WMQ, you will need to use some value other than 'mqm' in the MCAUSER of the channel. The standard advice is to set the MCAUSER of all channels of type RCVR, RQSTR, CLUSRCVR and SVRCONN to *NOBODY and then arrange to authenticate your channels based on something useful such as the Distinguished Name of a certificate. Other less useful ways to validate a connection (because these can hardly be called "authentication") include looking at the IP address of the inbound connection or the identity that is claimed on a SVRCONN.

In v7.0, these require an exit and BlockIP2 is the standard used throughout the WMQ install base world-wide. In v7.1 and v7.5 you can achieve the same thing simply through configuration of CHLAUTH rules using standard MQSC scripting.

There are several conference presentations discussing how to do this at t-rob.net on the Links page. I would strongly recommend moving to v7.5 of WMQ, especially since you can do so for free as a developer, regardless of the status of the licensing that the company running the QMgr has purchased. However, the QMgr in Production can also be upgraded to v7.5 for free if it is under maintenance. If you wait until June you can have v8.0, although the availability of a free developer version has not been announced as yet, to my knowledge.

Answer 2

I searched for a very long time to solve this and also I read T.Rob presentations especially this one. Finally I choose the solution to define CHLAUTH for check through which IP want to connect to my channel.

I add below CHLAUTH to my Queue Manager, It works.

SET CHLAUTH('SVRCONN') TYPE(BLOCKUSER) USERLIST('ALLOWANY') WARN(YES) ACTION(ADD)
SET CHLAUTH('SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
SET CHLAUTH('SVRCONN') TYPE(ADDRESSMAP) ADDRESS('192.168.148.40-60') MCAUSER('mqm')

I also recommend to see this.