Security profiles required for a batch application
Additional security profiles required for a batch implementation of the two queue manager scenario.
The batch application runs under user ID BATCHID on QM1. It connects to queue manager QM1 and puts messages to the following queues:
- LQ1
- RQA
- RQB
- RQC
It uses the MQPMO_SET_ALL_CONTEXT option. The alternate user ID found in the UserIdentifier field of the message descriptor (MQMD) is MSGUSR.
The following profiles are required on queue manager QM1:
Class Profile User ID Access MQCONN QM1.BATCH BATCHID READ MQADMIN QM1.CONTEXT.** BATCHID CONTROL MQQUEUE QM1.LQ1 BATCHID UPDATE MQQUEUE QM1.RQA BATCHID UPDATE MQQUEUE QM1.RQB BATCHID UPDATE MQQUEUE QM1.RQC BATCHID UPDATE The following profiles are required on queue manager QM2 for messages put to queue RQA on queue manager QM1 (for the TCP/IP channel not using TLS):
Notes:
Class Profile User ID Access MQADMIN QM2.ALTERNATE.USER.MSGUSR MCATCP MOVER2 UPDATE MQADMIN QM2.CONTEXT.** MCATCP MOVER2 CONTROL MQQUEUE QM2.LQA MOVER2 MSGUSR UPDATE MQQUEUE QM2.DLQ MOVER2 MSGUSR UPDATE
- The user ID passed in the MQMD of the message is used as the user ID for the MQPUT1 on queue manager QM2 because the receiver channel was defined with PUTAUT(CTX) and MCAUSER(MCATCP).
- The MCAUSER field of the receiver channel definition is set to MCATCP; this user ID is used in addition to the channel initiator address space user ID for the checks carried out against the alternate user ID and context profile.
- The MOVER2 user ID and the UserIdentifier in the message descriptor (MQMD) are used for the resource checks against the queue.
- The MOVER2 and MSGUSR user IDs both need access to the dead-letter queue so that messages that cannot be put to the destination queue can be sent there.
- Two user IDs are checked on all three checks performed because RESLEVEL is set to NONE.
The following profiles are required on queue manager QM2 for messages put to queue RQB on queue manager QM1 (for the LU 6.2 channel):
Notes:
Class Profile User ID Access MQADMIN QM2.ALTERNATE.USER.MSGUSR MCALU62 MOVER1 UPDATE MQADMIN QM2.CONTEXT.** MCALU62 MOVER1 CONTROL MQQUEUE QM2.LQB MOVER1 MSGUSR UPDATE MQQUEUE QM2.DLQ MOVER1 MSGUSR UPDATE
- The user ID passed in the MQMD of the message is used as the user ID for the MQPUT1 on queue manager QM2 because the receiver channel was defined with PUTAUT(CTX) and MCAUSER(MCALU62).
- The MCA user ID is set to the value of the MCAUSER field of the receiver channel definition (MCALU62).
- Because LU 6.2 supports security on the communications system for the channel, the user ID received from the network is used as the channel user ID (MOVER1).
- Two user IDs are checked on all three checks performed because RESLEVEL is set to NONE.
- MCALU62 and MOVER1 are used for the checks performed against the alternate user ID and Context profiles, and MSGUSR and MOVER1 are used for the checks against the queue profile.
- The MOVER1 and MSGUSR user IDs both need access to the dead-letter queue so that messages that cannot be put to the destination queue can be sent there.
The following profiles are required on queue manager QM2 for messages put to queue RQC on queue manager QM1 (for the TCP/IP channel using TLS):
Notes:
Class Profile User ID Access MQADMIN QM2.ALTERNATE.USER.MSGUSR MCASSL CERTID UPDATE MQADMIN QM2.CONTEXT.** MCASSL CERTID CONTROL MQQUEUE QM2.LQC CERTID MSGUSR UPDATE MQQUEUE QM2.DLQ CERTID
MSGUSRUPDATE
- The user ID passed in the MQMD of the message is used as the user ID for the MQPUT1 on queue manager QM2 because the receiver channel was defined with PUTAUT(CTX) and MCAUSER(MCASSL).
- The MCA user ID is set to the value of the MCAUSER field of the receiver channel definition (MCASSL).
- Because the certificate flowed by the channel from QM1 as part of the TLS handshake might be installed on QM2's system, or might match a certificate name filter on QM2's system, the user ID found during that matching is used as the channel user ID (CERTID).
- Two user IDs are checked on all three checks performed because RESLEVEL is set to NONE.
- MCASSL and CERTID are used for the checks performed against the alternate user ID and Context profiles, and MSGUSR and MOVER1 are used for the checks against the queue profile.
- The CERTID and MSGUSR user IDs both need access to the dead-letter queue so that messages that cannot be put to the destination queue can be sent there.
Parent topic: Security profiles and accesses required for the two queue manager scenario