Setting up WebSphere MQ

This is part of the larger task of setting up security on z/OS.

The user ID of the person running the create component (BIPCBRK, BIPCRCM, and BIPCRUN) jobs needs UPDATE access to the component PDSE, READ/EXECUTE access to the installation directory, and READ/WRITE/EXECUTE access to the component directory. If you do not use queue manager security, you do not need to read the rest of this topic. Topic Creating the broker component provides detailed statements on how to protect your queues.

The broker, Configuration Manager, and the User Name Server need to be able to connect to the queue manager.

By default, the broker's internal queues, which all have names of the form:
 SYSTEM.BROKER.*
should be protected. These names cannot be changed. Restrict access to the broker, Configuration Manager, and User Name Server started task user IDs, and to WebSphere Message Broker administrators.

If you are running a Configuration Manager on z/OS, remote users connecting from either the Message Brokers Toolkit or from a Configuration Manager Proxy application need to be authorized to connect to the queue manager through the channel initiator and require PUT and GET access to SYSTEM.BROKER.CONFIG.QUEUE and SYSTEM.BROKER.CONFIG.REPLY

If you are using Publish/Subscribe, subscribers need to PUT to SYSTEM.BROKER.CONTOL.QUEUE.

You can control which applications can use queues used by message flows. Applications need to be able to PUT and GET to queues defined in any nodes.

Related concepts
Security overview
Related tasks
Setting up z/OS security
Setting up DB2
Setting up workbench access on z/OS
Creating Publish/Subscribe user IDs
Security considerations on z/OS
Creating the broker component
Related reference
Customization tasks and roles on z/OS
Summary of required access (z/OS)