Stopping unauthorized queue managers putting messages on your queues
To prevent certain queue managers from putting messages on a queue, use
the security facilities available on your platform. For example:
- RACF(R) or other external security managers on WebSphere MQ for z/OS
- The Object Authority Manager (OAM) on WebSphere MQ for iSeries, WebSphere MQ on UNIX systems, and WebSphere MQ for Windows, and
on MQSeries for Compaq Tru64 UNIX, V5.1, MQSeries for Compaq OpenVMS Alpha, Version 5.1, and MQSeries for Compaq NonStop Kernel, V5.1
In addition, you can use the PUT authority (PUTAUT) attribute on the CLUSRCVR
channel definition. The PUTAUT attribute allows you to specify what user IDs
are to be used to establish authority to put a message to a queue. The options
on the PUTAUT attribute are:
- DEF
- Use the default user ID. On z/OS this might involve using both the
user ID received from the network and that derived from MCAUSER.
- CTX
- Use the user ID in the context information associated with the message.
On z/OS this might involve using either the user ID received from the
network, or that derived from MCAUSER, or both. Use this option if the link
is trusted and authenticated.
- ONLYMCA (z/OS only)
- As for DEF, but any user ID received from the network will not be used.
Use this option if the link is not trusted and you want to allow only a specific
set of actions on it, which are defined for the MCAUSER.
- ALTMCA (z/OS only)
- As for CTX, but any user ID received from the network will not be used.
For more information about using the PUTAUT attribute on a channel definition, see
the WebSphere MQ Intercommunication book or see the WebSphere MQ Script (MQSC) Command Reference book.
Note:
As with any other transmission queue, applications cannot
put messages directly to SYSTEM.CLUSTER.TRANSMIT.QUEUE without special authorization.