Considering security for the workbench

Set up appropriate levels of security for the workbench.

Consider the following factors for deciding which users can take actions within the workbench:

  1. Are you running with domain awareness enabled?
  2. Are you running with domain awareness disabled?
  3. Securing the channel between the workbench and the Configuration Manager

For the highest level of security, run with domain awareness enabled, and with security configured for the connection between the Configuration Manager and the workbench.

Ensure that the IDs of the users who run the workbench are not more than eight characters long.

Are you running with domain awareness enabled?

Run with domain awareness enabled to flow the domain information with the user ID for a workbench user to the Configuration Manager for increased security. Assume that you are running the Configuration Manager on a computer named WKSTN1, which is a member of a domain named DOMAIN1. Users from DOMAIN2 also want to use the workbench. Complete the following steps:

  1. Add any domain users or groups to the local group names that you use in your ACLs.
  2. When you create the Configuration Manager, specify the -m option on the mqsicreateaclentry command to ensure that the domain is considered when verifying the user.

When you start the workbench, it automatically sends the domain information for your user ID to the Configuration Manager. Enable domain awareness in the Configuration Manager to access domain information.

If you are running a Configuration Manager with one user ID and a broker with a different user ID on another computer, you might see an error message when trying to deploy message flows and message sets to the broker. To avoid this problem:
  • Ensure that the broker's user ID is a member of the mqm and mqbrkrs groups.
  • Define the broker's user ID on the computer where the Configuration Manager is running.
  • Define the Configuration Manager user ID on the computer where the broker is running.
  • Ensure that all IDs are in lowercase so that they are compatible between computers.

Are you running with domain awareness disabled?

If you choose to disable domain awareness, domain information for the workbench user does not flow with the user ID information to the Configuration Manager, and security is therefore reduced.

You can specify the -a option on the mqsicreateaclentry command to allow a user to be verified without considering the domain.

To set domain awareness to disabled, answer the following questions:

  1. Are your workbench users drawn from a local domain?
    1. No: Go to the next question.
    2. Yes: Add any users to the local groups that you use in your ACLs.

      Go to Securing the channel between the workbench and the Configuration Manager.

  2. Are your workbench users drawn from another domain?
    1. Yes: Make the other domain a trusted domain of the computer on which the Configuration Manager is running, then add the groups and users from the trusted domain to the local groups of the Configuration Manager.

Turning off workbench domain awareness

The workbench sends the user and domain name to the Configuration Manager queue manager, regardless of the domain awareness setting on the Configuration Manager. This can cause problems connecting to the queue manager because of the security required to connect, put, or get messages.

To turn off the domain awareness on the workbench, start your session in the following way:
  1. Change to the install_dir\eclipse directory.
  2. Run the toolkit using the command mqsistudio -vmargs -DDomainAware=0.
Alternatively, modify the shortcut that starts the workbench by adding -vmargs -DDomainAware=0.

Go to Securing the channel between the workbench and the Configuration Manager

Securing the channel between the workbench and the Configuration Manager

Start of changeIf you want to secure the connection, you must update the configuration of the SVRCONN channel between the Configuration Manager and the workbench to include the security options you want.

When you create the Configuration Manager, a default SVRCONN channel, SYSTEM.BKR.CONFIG, is created; you can use this channel, or create a new one. If you use a different channel, you must set the new name in the domain connection properties.

End of change
Create and enable a pair of security exits to run at the workbench and Configuration Manager ends of the SVRCONN channel that connects the two components. Program these exits to verify workbench users with the security manager on the computer on which the Configuration Manager is running.

For more information about creating and enabling security exits, refer to Security exits.

Related tasks
Using security exits
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2009Copyright IBM Corporation 1999, 2009.
Last updated : 2009-01-07 15:22:49

ap03985_