IBM MQ ships with strong built-in controls: TLS on the wire, CHLAUTH rules that map certificates and IP addresses to MCAUSER, and CONNAUTH that validates passwords against LDAP or the operating system. Some enterprises still need SCYEXIT—the channel attribute that points at a custom security exit program loaded from the exits directory. Security exits run at defined points in channel processing so your organization can enforce policy that IBM generic rules cannot express: proprietary credential formats, integration with a mainframe security product, correlation with an external risk engine, or adoption of a service account only after multi-factor approval in another system. Beginners should treat SCYEXIT as optional and advanced; turning it on without a tested exit binary is a common cause of channels that never reach RUNNING. This tutorial explains the SCYEXIT string format, how exits interact with MCAUSER and CHLAUTH, deployment on distributed and z/OS, operational risks, and how SCYEXIT differs from message exits and from TLS.
When a channel instance starts—whether SDR dialing out or RCVR accepting inbound—the queue manager loads channel exits according to attributes on the definition. SCYEXIT supplies the name of the security exit and optional user data passed to the exit entry point. The exit receives control in a documented API (language and structure vary by platform; IBM publishes exit programming interfaces in the product documentation). The exit can allow or veto progression, modify security context, or write to diagnostic facilities. Because exits execute inside the channel agent address space, a buggy exit can crash the channel or leak sensitive data to logs. Change control for exit DLLs or load modules should be as strict as for queue manager binaries.
| Attribute | Role | Typical beginner need |
|---|---|---|
| SCYEXIT | Security policy and identity | Rare; use CHLAUTH first |
| RCVEXIT | Transform or inspect inbound data | Rare; vendor integrations |
| SENDEXIT | Transform or inspect outbound data | Rare; compression or audit |
| MCAUSER | Static default user for channel | Very common |
On distributed systems SCYEXIT often appears as exitName(exitData) where exitName identifies the module in the exits path and exitData is an optional string passed to the exit for configuration (partner ID, policy version, etc.). z/OS may use load module names and parameter data appropriate to the platform. DISPLAY CHANNEL(name) SCYEXIT shows the current value. ALTER CHANNEL(name) SCYEXIT(...) updates the repository; restart channel instances to pick up changes. Empty SCYEXIT means no security exit—normal for most channels.
123456* Example pattern only—replace with your vendor exit name and data DEFINE CHANNEL('PARTNER.SECURE') CHLTYPE(RCVR) TRPTYPE(TCP) + MCAUSER('mqpartner') SCYEXIT('myScyExit(POLICY=STRICT)') ALTER CHANNEL('PARTNER.SECURE') SCYEXIT('myScyExit(POLICY=STRICT)') DISPLAY CHANNEL('PARTNER.SECURE') SCYEXIT MCAUSER * After change: STOP CHANNEL then START or let partner reconnect
The example is illustrative. Your site must supply a real exit compiled for your MQ version and platform. IBM and third parties ship sample exits; production use requires support agreements and regression testing on every MQ fix pack upgrade.
MCAUSER on the channel sets the default user ID for puts and gets under that channel unless CHLAUTH or an exit changes it. CHLAUTH ADDRESSMAP and SSLPEERMAP rules run in the modern rule engine and do not require custom code. SCYEXIT can complement CHLAUTH—for example, call an external system after CHLAUTH maps a certificate to a user—or override behavior in legacy estates. Order of processing matters and is release-specific; document the effective identity path on a whiteboard before enabling both SSLPEERMAP and SCYEXIT on the same SVRCONN. If the exit sets a different user than administrators expect, 2035 Not authorized on queues appears even when TLS succeeded.
Greenfield IBM MQ 9.x designs should implement CHLAUTH deny-by-default, TLS 1.2+, and CONNAUTH before considering SCYEXIT. Exits add operational burden: 64-bit vs 32-bit libraries, path permissions, signature verification, and coordination with security scanners.
Exit programs live in the exits directory configured for the queue manager (often something like /var/mqm/exits on Linux, with parallel concepts on Windows and z/OS STEPLIB). The queue manager process must have execute permission. Mixed-endian or wrong MQ version builds cause abends. On z/OS, exits may be linked into libraries known to the channel initiator. After MQ upgrade, recompile or obtain updated exit levels from the vendor—exits are not always forward-compatible without rebuild. Keep a non-production queue manager mirroring production exit configuration for soak tests.
CHLAUTH and TLS are the standard ID check and metal detector at the venue. SCYEXIT is hiring your own bouncer who can ask custom questions IBM did not program—like calling HR to verify a contractor badge. If the bouncer computer crashes, nobody enters, even with a valid ticket.
SCYEXIT is a special helper program MQ calls to double-check if someone is allowed to use the channel, like an extra teacher checking your hall pass besides the normal rules.
Draw a flowchart: TLS handshake, CHLAUTH SSLPEERMAP, MCAUSER, then SCYEXIT—where could 2035 appear?
List five items for an MQ upgrade checklist when SCYEXIT is enabled on fifty channels.
Explain to a manager why CHLAUTH alone might be enough without a custom security exit.
1. SCYEXIT is primarily for:
2. SCYEXIT vs SSLCIPH:
3. Before enabling SCYEXIT in production you should:
4. A failed security exit usually: