When a sender channel connects to your listener, the queue manager sees a source IP address on the TCP socket. Address mapping rules—CHLAUTH TYPE(ADDRESSMAP)—translate that observable fact into policy: allow this partner hub, block a known scanner, or assign an MCAUSER for puts from a fixed data center egress. ADDRESSMAP is often the first rule type operations teams implement because partner IPs are known from firewall tickets and B2B contracts. It is also easy to get wrong: cloud egress IPs change, NAT collapses many clients into one address, and IP spoofing is irrelevant on controlled private links but dangerous on open networks without TLS. Beginners should pair ADDRESSMAP with mutual TLS for internet-facing RCVR and SVRCONN, and treat IP rules as one layer—not the entire security model. This tutorial covers ADDRESS syntax, ALLOW versus BLOCK, mapping to MCAUSER, scoping by channel name, NAT and load balancer pitfalls, partner onboarding workflow, and troubleshooting when the right partner is blocked after an IP migration.
LISTENER accepts TCP on PORT. Remote SDR or client opens socket from source IP S. During channel bind, CHLAUTH evaluates ADDRESSMAP rules whose ADDRESS pattern matches S and whose channel name scope includes the target channel. Outcome ALLOW permits bind to continue; BLOCK rejects with log entry; MAP may set MCAUSER before object authority checks. Rules do not replace firewall ACLs—they enforce MQ-side policy when traffic already reached the listener. Defense in depth means firewall plus ADDRESSMAP plus TLS plus SSLPEERMAP on high-risk paths.
| Action | Effect | When to use |
|---|---|---|
| ALLOW | Permit connection from matched IP | Known partner fixed egress |
| BLOCK | Reject matched IP | Known bad sources |
| MAP MCAUSER | Set identity from IP trust zone | Segmented subnets per app |
123456789SET CHLAUTH('ALLOW.HUB.SDR') TYPE(ADDRESSMAP) + ADDRESS('198.51.100.0/24') CHLAUTH(ALLOW) + CHNAME('PARTNER.TO.US') DESCR('Hub sender subnet') SET CHLAUTH('BLOCK.SCANNER') TYPE(ADDRESSMAP) + ADDRESS('203.0.113.99') ACTION(BLOCK) DESCR('Blocked scanner IP') SET CHLAUTH('MAP.DMZ.APP') TYPE(ADDRESSMAP) + ADDRESS('10.20.30.40') MCAUSER('dmzapp') USERSRC(MAP) + ACTION(ALLOW) CHNAME('APP.SVRCONN') DISPLAY CHLAUTH('ALLOW.HUB.SDR') ALL
CIDR notation support depends on IBM MQ release and platform—verify ADDRESS syntax in documentation before relying on slash notation in production. Some sites use separate rules per host IP instead of ranges for clarity. CHNAME scopes which channel definitions the rule applies to; overly broad CHNAME('*') on ALLOW can accidentally permit more than intended.
Point-to-point RCVR channels from a known partner data center: ALLOW partner egress /32 or /24 on that RCVR name only. SVRCONN from application servers in a DMZ subnet: MAP subnet to application MCAUSER with tight OAM grants. Never use ADDRESSMAP ALLOW * on internet listeners. For client channels, remember mobile users violate fixed IP assumptions—use certificate mapping instead.
Partner cannot connect after IP change: compare log source IP to DISPLAY CHLAUTH ADDRESS. Partner connects but wrong authority: verify MAP MCAUSER and OAM. False allow through NAT: tighten SSLPEERMAP. Emergency break-glass: narrowly scoped temporary ALLOW for ops center IP with ticket expiry—not global DISABLE CHLAUTH.
Address mapping is a rule that says only computers from these home addresses may use this MQ door.
Partner moves from 198.51.100.22 to .23—write ALTER/SET CHLAUTH steps.
Explain why ten apps behind one NAT IP might violate least privilege with IP-only MAP.
Design ADDRESSMAP + SSLPEERMAP for one B2B RCVR.
1. ADDRESSMAP matches:
2. NAT can make ADDRESSMAP:
3. ADDRESSMAP on RCVR protects:
4. IP-only trust on internet links should add: