Authorizing putting messages on remote cluster queues
On z/OS set up authorization to put to a cluster queue using RACF . On other platforms, authorize access to connect to the queue managers, and to put to the queues on those queue managers.
About this task
The default behavior is to perform access control against the SYSTEM.CLUSTER.TRANSMIT.QUEUE. Note that this behavior applies, even if we are using multiple transmission queues.
The specific behavior described in this topic applies only when you have configured the ClusterQueueAccessControl attribute in the qm.ini file to be RQMName, as described in the Security stanza topic, and restarted the queue manager.
Procedure
- For z/OS, issue the following commands:
RDEFINE MQQUEUE QMgrName.QUEUE. QueueName UACC(NONE) PERMIT QMgrName.QUEUE. QueueName CLASS(MQADMIN) ID(GroupName) ACCESS(UPDATE)- For UNIX, Linux, and Windows systems, issue the following commands:
setmqaut -m QMgrName -t qmgr -g GroupName +connect setmqaut -m QMgrName -t queue -n QueueName -g GroupName -all +put- For IBM i, issue the following commands:
GRTMQMAUT OBJ(' QMgrName ') OBJTYPE(*MQM) USER(GroupName) AUT(*CONNECT) GRTMQMAUT OBJ(' QueueName ') OBJTYPE(*Q) USER(GroupName) AUT(*PUT) MQMNAME(' QMgrName ')The user can put messages only to the specified cluster queue, and no other cluster queues. The variable names have the following meanings:
- QMgrName
- The name of the queue manager. On z/OS, this value can also be the name of a queue sharing group.
- GroupName
- The name of the group to be granted access.
- QueueName
- Name of the queue or generic profile for which to change authorizations.
What to do next
If you specify a reply-to queue when you put a message on a cluster queue, the consuming application must have authority to send the reply. Set this authority by following the instructions in Granting authority to put messages to a remote cluster queue.
Parent topic: Keeping clusters secure
Related information