Channel security
The user IDs associated with message channel agents (MCAs) need authority
to access various WebSphere MQ resources.
An MCA must be able to connect to a queue manager and open the dead letter
queue. If it is a sending MCA, it must be able to open the transmission queue
for the channel. If it is a receiving MCA, it must be able to open destination
queues and set context information in the messages it puts on those queues.
If the PUTAUT parameter is set to CTX (or ALTMCA on z/OS(R)) in the channel
definition at the receiving end of a channel, the user ID in the UserIdentifier field in the message descriptor of each incoming message
needs authority to open the destination queue for the message. In addition,
the user ID associated with the receiving MCA needs alternate user authority
to open the destination queue using the authority of a different user ID.
On an MQI channel, the user ID associated with the server connection MCA
needs authority to issue MQI calls on behalf of the client application.
The user ID that is used for authority checks depends on whether the MCA
is connecting to a queue manager or accessing queue manager resources after
it has connected to a queue manager:
- The user ID for connecting to a queue manager
- On i5/OS(TM), UNIX(R) systems, and Windows(R) systems, the user ID whose authority
is checked when an MCA connects to a queue manager is the one under which
the MCA is running. This is known as the default user ID of the MCA. The default user ID might be derived in various
ways. Here are some examples:
- If a caller MCA is started by a channel initiator, the MCA runs under
the same user ID as that of the channel initiator. This user ID might be derived
in various ways. For example,
if the channel initiator is started by using the WebSphere MQ Explorer, it runs under
the MUSER_MQADMIN user ID. This user ID is created when you install WebSphere MQ for Windows and
is a member of the mqm group.
- If a responder MCA is started by a WebSphere MQ listener, the MCA runs under
the same user ID as that of the listener.
- If the communications protocol for the channel is TCP/IP and a responder
MCA is started by the inet daemon, the MCA runs under the user ID obtained
from the entry in the inetd.conf file that was used to start the MCA.
- If the communications protocol for the channel is SNA LU 6.2, a responder
MCA might run under the user ID contained in the inbound attach request, or
under the user ID specified in the transaction program (TP) definition for
the MCA.
After an MCA has connected to a queue manager, it accesses certain
queue manager resources as part of its initialization processing. The default
user ID of the MCA is also used for the authority checks when it opens these
resources. To enable the MCA to access these resources, you must ensure that
the default user ID is a member of the QMQMADM group on i5/OS, the mqm group
on UNIX and Windows systems, or the Administrators group on Windows systems.
On z/OS, every task in the channel initiator
address space that needs to connect to the queue manager does so when the
channel initiator address space is started. This includes the dispatcher tasks
that run as MCAs. The
channel initiator address space user ID is used to check the authority of
a task to connect to the queue manager.
- The user ID for subsequent authority checks
- After an MCA has connected to a queue manager, the user ID whose authority
is checked when the MCA accesses queue manager resources subsequently might
be different from the one that was checked when the MCA connected to the queue
manager. In addition, on z/OS, zero, one, or two user IDs might be
checked, depending on the access level of the channel initiator address space
user ID to the RESLEVEL profile. Here are some examples of other user IDs
that might be used:
- The value of the MCAUSER parameter in the channel definition
- For a receiving MCA, the user ID in the UserIdentifier field in the message descriptor of each incoming message, if the PUTAUT
parameter is set to CTX (or ALTMCA on z/OS) in the channel definition at the receiving
end of a channel
- For a server connection MCA, the user ID that is received from a client
system when a WebSphere MQ client application issues an MQCONN call
The user ID actually used is displayed on the channel status.
On z/OS, the channel initiator address space user ID needs authority to
open certain system queues, such as SYSTEM.CHANNEL.INITQ, independently of
the MCAs that are running in the address space.
For more information about channel security, see:
- WebSphere MQ for iSeries V6 System Administration Guide
- WebSphere MQ System Administration Guide, for UNIX and Windows systems
- WebSphere MQ for z/OS System Setup Guide
- WebSphere MQ Clients, for MQI channels