Stopping unauthorized queue managers putting messages on your queues

Use the channel put authority attribute on the cluster-receiver channel to stop unauthorized queue managers putting messages on your queues. Authorize a remote queue manager by checking the user ID in the message using RACF on z/OS, or the OAM on other platforms.

Use the security facilities of a platform and the access control mechanism in IBM MQ to control access to queues.

Procedure

1. To prevent certain queue managers from putting messages on a queue, use the security facilities available on the platform. For example:
   • RACF or other external security managers on IBM MQ for z/OS
   • The object authority manager (OAM) on other platforms.

2. Use the put authority, PUTAUT, attribute on the CLUSRCVR channel definition.

   The PUTAUT attribute allows you to specify what user identifiers are to be used to establish authority to put a message to a queue.

   The options on the PUTAUT attribute are:

   DEF

   Use the default user ID. On z/OS, the check might involve using both the user ID received from the network and that derived from MCAUSER.

   CTX

   Use the user ID in the context information associated with the message. On z/OS the check might involve using either the user ID received from the network, or that derived from MCAUSER, or both. Use this option if the link is trusted and authenticated.

   ONLYMCA ( z/OS only)

   As for DEF, but any user ID received from the network is not used. Use this option if the link is not trusted. You want to allow only a specific set of actions on it, which are defined for the MCAUSER.

   ALTMCA ( z/OS only)

   As for CTX, but any user ID received from the network is not used.

Parent topic: Keeping clusters secure