Objects used by JMS that require authorization for non-privileged users
Non-privileged users need authorization granted to access the queues used by JMS. Every JMS application needs authorization to the queue manager with which it works.
For details about access control in IBM MQ, see Set up security.
IBM MQ classes for JMS applications need connect and inq authority to the queue manager. We can set appropriate authorizations using the setmqaut control command, for example:setmqaut -m QM1 -t qmgr -g jmsappsgroup +connect +inqFor the point-to-point domain, the following authorities are required:
- Queues that are used by MessageProducer objects need put authority.
- Queues that are used by MessageConsumer and QueueBrowser objects need get, inq, and browse authorities.
- The QueueSession.createTemporaryQueue() method needs access to the model queue specified by the TEMPMODEL property of the QueueConnectionFactory object. By default this model queue is SYSTEM.TEMP.MODEL.QUEUE.
If any of these queues are alias queues, their target queues require inquire authority. If the target queue is a cluster queue it also requires browse authority. For the publish/subscribe domain, the following queues are used if the IBM MQ classes for JMS are connecting to an IBM MQ queue manager in IBM MQ messaging provider migration mode:
- SYSTEM.JMS.ADMIN.QUEUE
- SYSTEM.JMS.REPORT.QUEUE
- SYSTEM.JMS.MODEL.QUEUE
- SYSTEM.JMS.PS.STATUS.QUEUE
- SYSTEM.JMS.ND.SUBSCRIBER.QUEUE
- SYSTEM.JMS.D.SUBSCRIBER.QUEUE
- SYSTEM.JMS.ND.CC.SUBSCRIBER.QUEUE
- SYSTEM.JMS.D.CC.SUBSCRIBER.QUEUE
- SYSTEM.BROKER.CONTROL.QUEUE
For further information on IBM MQ messaging provider migration mode, see Configure the JMS PROVIDERVERSION property
Additionally, if the IBM MQ classes for JMS are connecting to a queue manager in this mode, any application that publishes messages needs access to the stream queue specified by the TopicConnectionFactory or topic object. By default, this queue is SYSTEM.BROKER.DEFAULT.STREAM.
If we use ConnectionConsumer, IBM MQ Resource Adapter, or the WebSphere Application Server IBM MQ messaging provider, additional authorization might be needed.
Queues to be read by the ConnectionConsumer must have get, inq, and browse authorities. The system dead-letter queue, and any backout-requeue queue or report queue used by the ConnectionConsumer must have put and passall authorities.
When an application uses IBM MQ messaging provider normal mode to perform publish/subscribe messaging, the application makes use of the integrated publish/subscribe functionality provided by the queue manager. See Publish/subscribe security for information on securing the topics and queues that are used.
Parent topic: Post installation setup for IBM MQ classes for JMS applications