Undelivered messages can be put on a special queue called the dead-letter queue. If you have sensitive data that could possibly end up on this queue, you must consider the security implications of this because you do not want unauthorized users to retrieve this data.
Each of the following must be allowed to put messages onto the dead-letter queue:
The only application that can retrieve messages from the dead-letter queue should be a 'special' application that processes these messages. However, a problem arises if you give applications RACF(R) UPDATE authority to the dead-letter queue for MQPUTs because they can then automatically retrieve messages from the queue using MQGET calls. You cannot disable the dead-letter queue for get operations because, if you do, not even the 'special' applications could retrieve the messages.
One solution to this problem is set up a two-level access to the dead-letter queue. CKTI, message channel agent transactions or the channel initiator address space, and 'special' applications have direct access; other applications can only access the dead-letter queue through an alias queue. This alias is defined to allow applications to put messages on the dead-letter queue, but not to get messages from it.
This is how it might work:
The application cannot get any messages from the real dead-letter queue either because it does have the correct RACF authority.
Table 41 summarizes the RACF authority required for the various participants in this solution.
Associated user IDs | Real dead-letter queue (hlq.DEAD.QUEUE) | Alias dead-letter queue (hlq.DEAD.QUEUE.PUT) |
---|---|---|
MCA or channel initiator address space and CKTI | UPDATE | NONE |
'Special' application (for dead-letter queue processing) | UPDATE | NONE |
User-written application user IDs | NONE | UPDATE |
If you use this method, the application cannot determine the maximum message length (MAXMSGL) of the dead-letter queue. This is because the MAXMSGL attribute cannot be retrieved from an alias queue. Therefore, your application should assume that the maximum message length is 100 MB, the maximum size WebSphere MQ for z/OS supports. The real dead-letter queue should also be defined with a MAXMSGL attribute of 100 MB.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
csq83bf |