This information
does not apply to z/OS®.
WebSphere Message
Broker depends on a number of WebSphere MQ resources to operate successfully.
You must control access to these resources to ensure that the product
components can access the resources on which they depend, and that
these same resources are protected from other users.
Some authorizations
are granted on your behalf when commands are issued. Others depend
on the configuration of your broker domain.
- When you issue the command mqsicreatebroker, it grants
put and get authority on your behalf to the group mqbrkrs for the
following queues:
- SYSTEM.BROKER.ADMIN.QUEUE
- SYSTEM.BROKER.CONTROL.QUEUE
- SYSTEM.BROKER.EXECUTIONGROUP.QUEUE
- SYSTEM.BROKER.EXECUTIONGROUP.REPLY
- SYSTEM.BROKER.INTERBROKER.QUEUE
- SYSTEM.BROKER.MODEL.QUEUE
- When you issue the command mqsicreateconfigmgr it grants
put and get authority on your behalf to the group mqbrkrs for the
following queues:
- SYSTEM.BROKER.CONFIG.QUEUE
- SYSTEM.BROKER.CONFIG.REPLY
- SYSTEM.BROKER.ADMIN.REPLY
- SYSTEM.BROKER.SECURITY.REPLY
- SYSTEM.BROKER.MODEL.QUEUE
- When you issue the command mqsicreateusernameserver, it
grants put and get authority on your behalf to the group mqbrkrs for
the following queues:
- SYSTEM.BROKER.SECURITY.QUEUE
- SYSTEM.BROKER.MODEL.QUEUE
- If you have created WebSphere Message
Broker components to run on different
queue managers, the transmission queues that you define to handle
the message traffic between the queue managers must have put and setall
authority granted to the local mqbrkrs group, or to the service user
ID of the component supported by the queue manager on which the transmission
queue is defined.
- When you start the workbench,
it connects to the Configuration
Manager using
a WebSphere MQ client/server connection.
For details of WebSphere MQ channel security,
see "Setting up WebSphere MQ client security"
in the Clients section of the WebSphere MQ Version 6 information center
online or
the WebSphere MQ Version 5.3 book on
the WebSphere MQ
library Web page.
- When you create and deploy a message flow, grant:
- get and inq authority to each input queue identified in an MQInput node, for the broker's ServiceUserID.
- put and inq authority to each output queue identified in an MQOutput node, or by an MQReply node, for the broker's ServiceUserID.
- get authority to each output queue identified in an MQOutput node or an MQReply node to the user ID
under which a receiving or subscribing client application runs.
- put authority to each input queue identified in an MQInput node to the user ID
under which a sending or publishing client application runs.