diff --git a/chart/base/config/config.mqsc b/chart/base/config/config.mqsc
index dd83f59..92dde6a 100644
--- a/chart/base/config/config.mqsc
+++ b/chart/base/config/config.mqsc
@@ -3,42 +3,6 @@ DEFINE QLOCAL(IBM.DEMO.Q.BOQ) REPLACE
 * Use a different dead letter queue, for undeliverable messages
 DEFINE QLOCAL('DEV.DEAD.LETTER.QUEUE') REPLACE
 ALTER QMGR DEADQ('DEV.DEAD.LETTER.QUEUE')
-* NOACCESS for connection from any IP for inbound connection
-SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule - Blocks everyone') ACTION(REPLACE)
-DEFINE CHANNEL(QMLDAP_SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP)
-* Allow access on LDAP channel
-SET CHLAUTH(QMLDAP_SVRCONN) TYPE(BLOCKUSER) ACTION(REPLACE) USERLIST('nobody')
-* Remove default admin rule
-* SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE)
-* Define LDAP config
-DEFINE AUTHINFO(USE.LDAP) +
-AUTHTYPE(IDPWLDAP) +
-CONNAME('openldap.openldap(389)') +
-LDAPUSER('cn=admin,dc=ibm,dc=com') LDAPPWD('admin') +
-SECCOMM(NO) +
-USRFIELD('uid') +
-SHORTUSR('uid') +
-BASEDNU('ou=people,dc=ibm,dc=com') +
-AUTHORMD(SEARCHGRP) +
-BASEDNG('ou=groups,dc=ibm,dc=com') +
-GRPFIELD('cn') +
-CLASSGRP('groupOfUniqueNames') +
-FINDGRP('uniqueMember') +
-CHCKCLNT(REQUIRED) +
-REPLACE
-ALTER QMGR CONNAUTH(USE.LDAP)
-REFRESH SECURITY
-*** mTLS ***
-* DEFINE CHANNEL('IBM.APP.SVRCONN') CHLTYPE(SVRCONN) MCAUSER('mqapp') SSLCAUTH(REQUIRED) SSLCIPH('ECDHE_RSA_AES_256_CBC_SHA384') TRPTYPE(TCP) REPLACE
-*** TLS ***
-DEFINE CHANNEL('IBM.APP.SVRCONN') CHLTYPE(SVRCONN) MCAUSER('mqapp') SSLCAUTH(OPTIONAL) SSLCIPH('ECDHE_RSA_AES_256_CBC_SHA384') TRPTYPE(TCP) REPLACE
-* allowing access to this channel for the user "mqapp"
-SET CHLAUTH(IBM.APP.SVRCONN) TYPE(USERMAP) CLNTUSER('mqapp') USERSRC(MAP) MCAUSER('mqapp') ACTION(ADD)
-* allow "mqapp" user to connect to queue manager
-SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('mqapp') AUTHADD(CONNECT,INQ,SETALL)
-* allow "mqapp" user to interact with the queue
-SET AUTHREC PROFILE(IBM.DEMO.Q) PRINCIPAL('mqapp') OBJTYPE(QUEUE)  AUTHADD(PUT, GET, PASSALL, BROWSE, INQ)
-SET AUTHREC PROFILE(IBM.DEMO.Q.BOQ) PRINCIPAL('mqapp') OBJTYPE(QUEUE)  AUTHADD(PUT, GET, PASSALL, BROWSE, INQ)
-REFRESH QMGR TYPE(CONFIGEV) OBJECT(AUTHINFO)
-REFRESH QMGR TYPE(CONFIGEV) OBJECT(AUTHREC)
-REFRESH SECURITY
+DEFINE CHANNEL('IBM.APP.SVRCONN') CHLTYPE(SVRCONN)
+ALTER QMGR CHLAUTH (DISABLED)
+REFRESH SECURITY TYPE(CONNAUTH)
diff --git a/chart/base/security/config.mqsc b/chart/base/security/config.mqsc
new file mode 100644
index 0000000..dd83f59
--- /dev/null
+++ b/chart/base/security/config.mqsc
@@ -0,0 +1,44 @@
+DEFINE QLOCAL(IBM.DEMO.Q) BOQNAME(IBM.DEMO.Q.BOQ) BOTHRESH(3) REPLACE
+DEFINE QLOCAL(IBM.DEMO.Q.BOQ) REPLACE
+* Use a different dead letter queue, for undeliverable messages
+DEFINE QLOCAL('DEV.DEAD.LETTER.QUEUE') REPLACE
+ALTER QMGR DEADQ('DEV.DEAD.LETTER.QUEUE')
+* NOACCESS for connection from any IP for inbound connection
+SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule - Blocks everyone') ACTION(REPLACE)
+DEFINE CHANNEL(QMLDAP_SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP)
+* Allow access on LDAP channel
+SET CHLAUTH(QMLDAP_SVRCONN) TYPE(BLOCKUSER) ACTION(REPLACE) USERLIST('nobody')
+* Remove default admin rule
+* SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE)
+* Define LDAP config
+DEFINE AUTHINFO(USE.LDAP) +
+AUTHTYPE(IDPWLDAP) +
+CONNAME('openldap.openldap(389)') +
+LDAPUSER('cn=admin,dc=ibm,dc=com') LDAPPWD('admin') +
+SECCOMM(NO) +
+USRFIELD('uid') +
+SHORTUSR('uid') +
+BASEDNU('ou=people,dc=ibm,dc=com') +
+AUTHORMD(SEARCHGRP) +
+BASEDNG('ou=groups,dc=ibm,dc=com') +
+GRPFIELD('cn') +
+CLASSGRP('groupOfUniqueNames') +
+FINDGRP('uniqueMember') +
+CHCKCLNT(REQUIRED) +
+REPLACE
+ALTER QMGR CONNAUTH(USE.LDAP)
+REFRESH SECURITY
+*** mTLS ***
+* DEFINE CHANNEL('IBM.APP.SVRCONN') CHLTYPE(SVRCONN) MCAUSER('mqapp') SSLCAUTH(REQUIRED) SSLCIPH('ECDHE_RSA_AES_256_CBC_SHA384') TRPTYPE(TCP) REPLACE
+*** TLS ***
+DEFINE CHANNEL('IBM.APP.SVRCONN') CHLTYPE(SVRCONN) MCAUSER('mqapp') SSLCAUTH(OPTIONAL) SSLCIPH('ECDHE_RSA_AES_256_CBC_SHA384') TRPTYPE(TCP) REPLACE
+* allowing access to this channel for the user "mqapp"
+SET CHLAUTH(IBM.APP.SVRCONN) TYPE(USERMAP) CLNTUSER('mqapp') USERSRC(MAP) MCAUSER('mqapp') ACTION(ADD)
+* allow "mqapp" user to connect to queue manager
+SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('mqapp') AUTHADD(CONNECT,INQ,SETALL)
+* allow "mqapp" user to interact with the queue
+SET AUTHREC PROFILE(IBM.DEMO.Q) PRINCIPAL('mqapp') OBJTYPE(QUEUE)  AUTHADD(PUT, GET, PASSALL, BROWSE, INQ)
+SET AUTHREC PROFILE(IBM.DEMO.Q.BOQ) PRINCIPAL('mqapp') OBJTYPE(QUEUE)  AUTHADD(PUT, GET, PASSALL, BROWSE, INQ)
+REFRESH QMGR TYPE(CONFIGEV) OBJECT(AUTHINFO)
+REFRESH QMGR TYPE(CONFIGEV) OBJECT(AUTHREC)
+REFRESH SECURITY
diff --git a/chart/base/templates/configmap.yaml b/chart/base/templates/configmap.yaml
index 7f69263..52f81ba 100644
--- a/chart/base/templates/configmap.yaml
+++ b/chart/base/templates/configmap.yaml
@@ -3,5 +3,10 @@ kind: ConfigMap
 metadata:
   name: {{ .Values.mqsc.configmap }}
 data:
+{{- if eq .Values.security true }}
+{{- $path := printf "%s/*" .Values.configmap.pathWithSecurity }}
+{{ (.Files.Glob $path).AsConfig | indent 2 }}
+{{ else }}
 {{- $path := printf "%s/*" .Values.configmap.path }}
 {{ (.Files.Glob $path).AsConfig | indent 2 }}
+{{ end }}
diff --git a/chart/base/values.yaml b/chart/base/values.yaml
index c26a911..a61a264 100644
--- a/chart/base/values.yaml
+++ b/chart/base/values.yaml
@@ -80,6 +80,7 @@ template:
 
 configmap:
   path: config
+  pathWithSecurity: security
 
 cert:
   secretName: mq-server-cert