Secure the WebSphere MQ resources
that your configuration requires.
This section does not apply to z/OS.
WebSphere Message Broker depends on a number of WebSphere MQ resources
to operate successfully. You must control access to these resources to ensure
that the product components can access the resources on which they depend,
and that these same resources are protected from other users.
Some authorizations
are granted on your behalf when commands are issued. Others depend on the
configuration of your broker domain.
- When you issue the command mqsicreatebroker,
it grants put and get authority on your behalf to the group mqbrkrs for
the following queues:
- SYSTEM.BROKER.ADMIN.QUEUE
- SYSTEM.BROKER.CONTROL.QUEUE
- SYSTEM.BROKER.EXECUTIONGROUP.QUEUE
- SYSTEM.BROKER.EXECUTIONGROUP.REPLY
- SYSTEM.BROKER.INTERBROKER.QUEUE
- SYSTEM.BROKER.MODEL.QUEUE
- When you issue the command mqsicreateconfigmgr it
grants put and get authority on your behalf to the group mqbrkrs for
the following queues:
- SYSTEM.BROKER.CONFIG.QUEUE
- SYSTEM.BROKER.CONFIG.REPLY
- SYSTEM.BROKER.ADMIN.REPLY
- SYSTEM.BROKER.SECURITY.REPLY
- SYSTEM.BROKER.MODEL.QUEUE
- When you issue the command mqsicreateusernameserver,
it grants put and get authority on your behalf to the group mqbrkrs for
the following queues:
- SYSTEM.BROKER.SECURITY.QUEUE
- SYSTEM.BROKER.MODEL.QUEUE
- When you issue the command mqsicreateaclentry,
it grants put and get authority on your behalf to the resource or user that
you have specified for the command parameters -p or -u for the following queues:
- SYSTEM.BROKER.CONFIG.QUEUE
- SYSTEM.BROKER.CONFIG.REPLY
- If you have created WebSphere Message Broker components
to run on different queue managers, the transmission queues that you define
to handle the message traffic between the queue managers must have put and
setall authority granted to the local mqbrkrs group,
or to the service user ID of the component supported by the queue manager
on which the transmission queue is defined.
- When you start the workbench, it connects
to the Configuration Manager using a WebSphere MQ client/server
connection. For details of WebSphere MQ channel
security refer to "Setting up WebSphere MQ client
security" in the WebSphere MQ Clients book.
- When you create and deploy a message flow, grant:
- get and inq authority to each input queue identified in an MQInput node,
for the broker's ServiceUserID.
- put and inq authority to each output queue identified in an MQOutput node,
or by an MQReply node, for the broker's ServiceUserID.
- get authority to each output queue identified in an MQOutput node or an
MQReply node to the user ID under which a receiving or subscribing client
application runs.
- put authority to each input queue identified in an MQInput node to the
user ID under which a sending or publishing client application runs.