User ID timeouts
We can make IBM MQ sign a user off a queue manager after a period of inactivity.
When a user accesses an IBM MQ resource, the queue manager tries to sign this user on to the queue manager (if subsystem security is active). This means that the user is authenticated to the ESM. This user remains signed on to IBM MQ until either the queue manager is shut down, or until the user ID is timed out (the authentication lapses) or reverified (reauthenticated).
When a user is timed out, the user ID is signed off within the queue manager and any security-related information retained for this user is discarded. The signing on and off of the user within the queue manager is not apparent to the application program or to the user.
Users are eligible for timeout when they have not used any IBM MQ resources for a predetermined amount of time. This time period is set by the MQSC ALTER SECURITY command.
Two values can be specified in the ALTER SECURITY command:
- TIMEOUT
- The time period in minutes that an unused user ID and its associated resources can remain within the IBM MQ queue manager.
- INTERVAL
- The time period in minutes between checks for user IDs and their associated resources, to determine whether the TIMEOUT has expired.
For example, if the TIMEOUT value is 30 and the INTERVAL value is 10, every 10 minutes IBM MQ checks user IDs and their associated resources to determine whether any have not been used for 30 minutes. If a timed-out user ID is found, that user ID is signed off within the queue manager. If any timed-out resource information associated with non-timed-out user IDs is found, that resource information is discarded. If we do not want to time out user IDs, set the INTERVAL value to zero. However, if the INTERVAL value is zero, storage occupied by user IDs and their associated resources is not freed until we issue a REFRESH SECURITY or RVERIFY SECURITY command.
Tuning this value can be important if you have many one-off users. If you set small interval and timeout values, resources that are no longer required are freed.
Note: If we use values for INTERVAL or TIMEOUT other than the defaults, we must reenter the command at every queue manager startup. We can do this automatically by putting the ALTER SECURITY command in the CSQINP1 data set for that queue manager. Parent topic: IBM MQ for z/OS security management