Channel permissions are Object Authority Manager grants on CHANNEL definitions—primarily who may use a given SVRCONN name to attach to the queue manager. Beginners focus on queues and forget that MQCONNX often specifies a channel name; missing +connect on that channel produces 2035 before any queue operation. Channel permissions do not replace CHLAUTH, CONNAUTH, or TLS—they stack. A fully authorized channel grant still fails when CHLAUTH blocks the client IP or when the password is wrong. Message channels (SDR, RCVR, CLUSSDR) use MCAUSER and partner trust differently from application SVRCONN paths. This tutorial explains +connect and related channel OAM bits, SVRCONN versus CLNTCONN versus message channels, pairing channel grants with queue and topic rights, CHLAUTH interaction, dedicated versus shared SVRCONN design, setmqaut and dspmqaut examples, and troubleshooting connect-time 2035 for Java, .NET, and C clients.
CHANNEL objects are first-class MQ entities in the repository. Using a channel definition is an operation OAM can gate. Restricting +connect on PAYMENT.SVRCONN to mqpay while ORDERS.SVRCONN allows mqorders prevents a stolen orders credential from attaching on the payment channel even if both share the same listener port. Defense in depth: network firewall, TLS, CONNAUTH, CHLAUTH, channel OAM, then queue OAM.
| CHLTYPE | Who connects | OAM focus |
|---|---|---|
| SVRCONN | Client applications | +connect per app or group |
| CLNTCONN | Client conn route to SVRCONN | Often +connect on CLNTCONN name |
| SDR / RCVR | Queue manager partners | MCAUSER queue rights, CHLAUTH |
| CLUSRCVR / CLUSSDR | Cluster members | Cluster standard roles |
1234DEFINE CHANNEL('PAYMENT.SVRCONN') CHLTYPE(SVRCONN) TRPTYPE(TCP) setmqaut -m QM1 -n PAYMENT.SVRCONN -t channel -p mqpay +connect setmqaut -m QM1 -t qmgr -p mqpay +connect dspmqaut -m QM1 -n PAYMENT.SVRCONN -t channel -p mqpay
The second line grants queue manager connect when your policy requires it—some estates embed connect in channel-only grants. JMS connection factory channel name must match PAYMENT.SVRCONN exactly. Case sensitivity depends on platform conventions; standardize uppercase channel names in mainframe style estates.
CHLAUTH rules answer whether this connection attempt is allowed and which MCAUSER applies. OAM +connect answers whether this principal may use the channel object. Example: CHLAUTH SSLPEERMAP maps CN=payapp to mqpay; setmqaut grants mqpay +connect on PAYMENT.SVRCONN. Missing CHLAUTH rule blocks before OAM; missing +connect fails OAM after CHLAUTH passes. DISPLAY CHLAUTH(*) and dspmqaut together.
Channel permissions gate use of the definition; MCAUSER determines which ID performs puts and gets after connect when ADOPTCTX does not override. Grant queue permissions to MCAUSER or adopted client ID consistently. Shared SVRCONN with MCAUSER(mqsvc) concentrates risk—prefer per-application channels and IDs.
The building has several doors (channels). Channel permissions are whether your badge works on the payment door specifically. Queue permissions are which rooms you may enter after you are inside.
SDR starting from XMITQ does not use application +connect on SVRCONN. Focus on MCAUSER +put on target queues on the receiver and +put on XMITQ on the sender. CHLAUTH on message channels blocks rogue partners—see channel authentication tutorials. Channel OAM on SDR definitions is less common in client-style troubleshooting.
The school has different doors for little kids and big kids. Channel permissions say which door your badge opens. You still need permission for each classroom inside.
Write setmqaut and DEFINE CHANNEL for a dedicated SVRCONN.
List order of checks when connect fails before MQOPEN.
Compare security of one shared SVRCONN versus three dedicated channels.
1. SVRCONN channel OAM often uses:
2. CHLAUTH with +connect granted:
3. setmqaut channel type:
4. Shared SVRCONN for all apps: