Restrictions for trusted applications
The following restrictions apply to trusted applications:
- You must explicitly disconnect trusted applications from the queue manager.
- You must stop trusted applications before ending the queue manager with
the endmqm command.
- You must not use asynchronous signals and timer interrupts (such as sigkill) with MQCNO_FASTPATH_BINDING.
- On WebSphere MQ on UNIX systems you must use mqm as the effective userID and groupID for
all MQI calls. You can change these IDs before making a non-MQI call requiring
authentication (for example, opening a file), but you must change it back to mqm before making the next MQI call.
- On WebSphere(R) MQ for iSeries(TM):
- Trusted applications must run under the QMQM user profile. It is not
sufficient that the user profile be a member of the QMQM group or that the
program adopt QMQM authority. It might not be possible for the QMQM user profile
to be used to sign on to interactive jobs, or to be specified in the job description
for jobs running trusted applications. In this case one approach is to use
the i5/OS profile swapping API functions, QSYGETPH, QWTSETP, and QSYRLSPH
to temporarily change the current user of the job to QMQM while the MQ programs
run. Details of these functions, together with an example of their use, is
provided in the Security APIs section of the iSeries System API Reference.
- Do not cancel trusted applications using System-Request Option 2, or by
ending the jobs in which they are running using ENDJOB.
- On all platforms, a thread within a trusted application cannot connect
to a queue manager while another thread in the same process is connected to
a different queue manager.
- On WebSphere MQ for AIX, trusted applications must have the environment variable
EXTSHM set to ON in their environment before the application starts, or the
connection is downgraded to a standard connection.