Security of WebSphere MQ for iSeries objects
This section deals with remote messaging aspects of security.
You need to provide users with authority to make use of the WebSphere MQ for iSeries facilities,
and this is organized according to actions to be taken with respect to objects
and definitions. For example:
- Queue managers can be started and stopped by authorized users
- Applications need to connect to the queue manager, and have authority
to make use of queues
- Message channels need to be created and controlled by authorized users
The message channel agent at a remote site needs to check that the message
being delivered has derived from a user with authority to do so at this remote
site. In addition, as MCAs can be started remotely, it may be necessary to
verify that the remote processes trying to start your MCAs are authorized
to do so. There are three possible ways for you to deal with this:
- Decree in the channel definition that messages must contain acceptable context authority, otherwise they will be discarded.
- Implement user exit security checking to ensure
that the corresponding message channel is authorized. The security of the
installation hosting the corresponding channel ensures that all users are
properly authorized, so that you do not need to check individual messages.
- Implement user exit message processing to ensure
that individual messages are vetted for authorization.
Here are some facts about the way WebSphere MQ for iSeries operates security:
- Users are identified and authenticated by i5/OS.
- Queue manager services invoked by applications are run with the authority
of the queue manager user profile, but in the user's process.
- Queue manager services invoked by user commands are run with the authority
of the queue manager user profile.