Security considerations
You need to consider the following points when setting up authorities to
the users in your enterprise:
- Grant and revoke authorities to the WebSphere MQ for iSeries commands using the OS/400(R) GRTOBJAUT and RVKOBJAUT commands.
- During installation of WebSphere MQ for iSeries the following special user profiles are
created:
- QMQM
- Is used primarily for internal product-only functions. However, it
can be used to run trusted applications using MQCNO_FASTPATH_BINDINGS; see
the WebSphere MQ Application Programming Guide for further information.
- QMQMADM
- Is used as a group profile for administrators of WebSphere MQ. The group profile
gives access to CL commands and WebSphere MQ resources.
- If you are sending channel commands to remote queue managers, ensure that
your user profile is a member of the group QMQMADM on the target system. For
a list of PCF and MQSC channel commands, see Channel command security.
- The group set associated with a user is cached when the group authorizations
are computed by the OAM.
Any changes made to a user's
group memberships after the group set has been cached are not recognized until
you restart the queue manager or execute RFRMQMAUT to refresh security.
- Limit the number of users who have authority to work with commands that
are particularly sensitive. These commands include:
- Create Message Queue Manager (CRTMQM)
- Delete Message Queue Manager (DLTMQM)
- Start Message Queue Manager (STRMQM)
- End Message Queue Manager (ENDMQM)
- Start Command Server (STRMQMCSVR)
- End Command Server (ENDMQMCSVR)
- Channel definitions contain a security exit program specification. Channel
creation and modification requires special considerations. Details of security
exits is given in WebSphere MQ Intercommunication.
- The channel exit and trigger monitor programs can be substituted. The
security of such replacements is the responsibility of the programmer.