Considering security for a broker

Consider the factors for deciding which users can:
  • Execute broker commands
  • Control security for other broker resources.
Consider the following steps:
  1. Deciding which user accounts can execute broker commands
  2. Deciding which user account to use for the broker service ID
  3. Setting security on the broker's queues
  4. Enabling topic-based security in the broker

Deciding which user accounts can execute broker commands

Decide what permissions are required for the user IDs that:
  • Create, change, list, delete, start, and stop brokers
  • Display, retrieve, and change trace information.

Answer the following questions:

  1. Is your broker installed on a Linux or UNIX operating system?
    1. No: Go to the next question.
    2. Yes: Go to Deciding which user account to use for the broker service ID
  2. Are you executing broker commands under a Windows local account?
    1. No: Go to the next question.
    2. Yes: Assume that your local account is on a computer named, for example, WKSTN1. When you create a broker, ensure that your user ID is defined in your local domain. When you create or start a broker, ensure that your user ID is a member of WKSTN1\Administrators.

      Go to Deciding which user account to use for the broker service ID.

  3. Are you executing broker commands under a Windows domain account?
    1. Yes: Assume that your computer named, for example, WKSTN1, is a member of a domain named DOMAIN1. When you create a broker using, for example, DOMAIN1\user1, ensure that DOMAIN1\user1 is a member of WKSTN1\Administrators.

      Go to Deciding which user account to use for the broker service ID.

Deciding which user account to use for the broker service ID

When you set the service ID with the -i option on the mqsicreatebroker or mqsichangebroker command, you determine the user ID under which the broker component process runs.

Answer the following questions:

  1. Is your broker installed on a Linux or UNIX operating system?
    1. No: Go to the next question.
    2. Yes: Go to Setting security on the broker's queues
  2. Do you want your broker to run under a Windows local account?
    1. No: Go to the next question.
    2. Yes: Ensure that your user ID is defined in your local domain and is a member of mqbrkrs.

      Go to Setting security on the broker's queues

  3. Do you want your broker to run under a Windows domain account?
    1. Yes: Assume that your computer named, for example, WKSTN1, is a member of a domain named DOMAIN1. When you run a broker using, for example, DOMAIN1\user1, ensure that: DOMAIN1\user1 is a member of DOMAIN1\Domain mqbrkrs and DOMAIN1\Domain mqbrkrs is a member of WKSTN1\mqbrkrs.

      Go to Setting security on the broker's queues

Setting security on the broker's queues

When you run the mqsicreatebroker command, the mqbrkrs group gets access authority to the following queues:
  • SYSTEM.BROKER.ADMIN.QUEUE
  • SYSTEM.BROKER.CONTROL.QUEUE
  • SYSTEM.BROKER.EXECUTIONGROUP.QUEUE
  • SYSTEM.BROKER.EXECUTIONGROUP.REPLY
  • SYSTEM.BROKER.INTERBROKER.QUEUE
  • SYSTEM.BROKER.MODEL.QUEUE

Enabling topic-based security in the broker

Perform this task by responding to the following question:

Do you want to enable topic-based security in the broker?
  1. Yes: Go to Enabling topic-based security
  2. No: Go to Considering security for a Configuration Manager