Authority to work with WebSphere MQ objects on i5/OS, UNIX systems, and Windows systems

On i5/OS(TM), UNIX(R) systems, and Windows(R) systems, the authorization service provides the access control when an application issues an MQI call to access a WebSphere MQ object that is a queue manager, queue, process, or namelist. This includes checks for alternate user authority and the authority to set or pass context information.

The authorization service also provides authority checks when a PCF command operates on one of these WebSphere MQ objects or an authentication information object. The equivalent MQSC command encapsulated within an Escape PCF command is treated in the same way.

On i5/OS, unless the user is a member of the QMQMADM group or has *ALLOBJ authority, the authorization service also provides authority checks when a user issues a CL command in Group 2 that operates on any of these WebSphere MQ objects or an authentication information object.

The authorization service is an installable service, which means that it is implemented by one or more installable service components. Each component is invoked using a documented interface. This enables users and vendors to provide components to augment or replace those provided by the WebSphere MQ products.

The authorization service component provided with WebSphere MQ is called the Object Authority Manager (OAM). The OAM is automatically enabled for each queue manager you create.

The OAM maintains an access control list (ACL) for each WebSphere MQ object it is controlling access to. On UNIX systems, only group IDs can appear in an ACL. This means that all members of a group have the same authorities. On i5/OS and on Windows systems, both user IDs and group IDs can appear in an ACL. This means that authorities can be granted to individual users as well as to groups.

The OAM can authenticate a user and change appropriate identity context fields. You enable this by specifying a connection security parameters structure (MQCSP) on an MQCONNX call. The structure is passed to the OAM Authenticate User function (MQZ_AUTHENTICATE_USER), which sets appropriate identity context fields. In the case of an MQCONNX connection from a WebSphere(R) MQ client, the information in the MQCSP is flowed to the queue manager to which the client is connecting over the client-connection and server-connection channel. If security exits are defined on that channel, the MQCSP is passed into each security exit and can be altered by the exit. Security exits can also create the MQCSP. For more details of the use of security exits in this context, see "Channel-exit programs", in the IBM WebSphere MQ: Intercommunication manual.

On UNIX and Windows systems, the control command setmqaut grants and revokes authorities and is used to maintain the ACLs. For example, the command:

setmqaut -m JUPITER -t queue -n MOON.EUROPA -g VOYAGER +browse +get

allows the members of the group VOYAGER to browse messages on the queue MOON.EUROPA that is owned by the queue manager JUPITER. It allows the members to get messages from the queue as well.

The command:

setmqaut -m JUPITER -t queue -n MOON.* -g VOYAGER +put

allows the members of the group VOYAGER to put messages on any queue whose name commences with the characters MOON. . MOON.* is the name of a generic profile. A generic profile allows you to grant authorities for a set of objects using a single setmqaut command. Objects whose names match the profile name do not have to exist when the setmqaut command is issued. Using generic profiles, therefore, allows you to grant authorities for objects that you might create in the future.

The control command dspmqaut is available to display the current authorities that a user or group has for a specified object. The control command dmpmqaut is also available to display the current authorities associated with generic profiles. For more information on the dspmqaut and dmpmqaut commands, see the WebSphere MQ: System Administration Guide.

On i5/OS, an administrator uses the CL command GRTMQMAUT to grant authorities and the CL command RVKMQMAUT to revoke authorities. Generic profiles can be used as well. For example, the CL command:

GRTMQMAUT MQMNAME(JUPITER) OBJTYPE(*Q) OBJ('MOON.*') USER(VOYAGER) AUT(*PUT)

provides the same function as the previous example of a setmqaut command; it allows the members of the group VOYAGER to put messages on any queue whose name commences with the characters MOON. .

The CL command DSPMQMAUT displays the current authorities that user or group has for a specified object. The CL commands WRKMQMAUT and WRKMQMAUTD are also available to work with the current authorities associated with objects and generic profiles.

If you do not want any authority checks, for example, in a test environment, you can disable the OAM.

For more information about the authority to work with WebSphere MQ objects, see:

Distributed channels as queue manager objects

Prior to WebSphere MQ Version 6.0, WebSphere MQ Channels on i5/OS, UNIX, and Windows systems have been stored collectively in a single channel definition file and secured by file permissions; only members of the mqm/QMQMADM group could access the definitions.

Queue manager objects such as queues, processes, namelists, and authinfo objects are stored in individual stream files in queue manager subdirectories. They are also recoverable from logs.

These objects are secured by the Object Authority Manager (OAM), and individuals or groups can be given varying levels of authority. For example, the MQUser user might be granted authority to browse messages on a queue but not to put messages to it.

From Version 6.0 onwards, WebSphere MQ channels are managed in the same way as other WebSphere MQ objects. For more information, see the WebSphere MQ: System Administration Guide.

Using PCF to access OAM commands

On i5/OS, UNIX, and Windows systems, you can use PCF commands to access OAM administration commands. The PCF commands and their equivalent OAM commands are as follows:

Table 1. PCF commands and their equivalent OAM commands
PCF command OAM command
Inquire Authority Records dmpmqaut
Inquire Entity Authority dspmqaut
Set Authority Record setmqaut
Delete Authority Record setmqaut with -remove option

For more information on using these commands, see the WebSphere MQ: Programmable Command Formats and Administration Interface book.