Object authority manager (OAM)
Overview
The authorization service component supplied with the WebSphere MQ products is called the Object Authority Manager (OAM). By default, the OAM is active and works with the control commands:
dspmqaut display authority dspmqmaut display object authority dmpmqaut dump object authority grtmqmaut grant object authority rvkmqmaut revoke object authority setmqaut set and reset authority The OAM works with the entity of a principal or group. These entities vary from platform to platform.
When an MQI request is made or a command is issued, the OAM checks the authorization of the entity associated with the operation to see whether it can:
- Perform the requested operation.
- Access the specified queue manager resources.
The authorization service enables you to augment or replace the authority checking provided for queue managers by writing your own authorization service component.
Defining the service to the operating system
The authorization service stanzas in qm.ini define the authorization service to the queue manager.
Refreshing the OAM after changing a user's authorization
In WebSphere MQ, you can update the OAM's authorization group information immediately after changing a user's authorization group membership, reflecting changes made at the operating system level, without needing to stop and restart the queue manager.
When you change authorizations with the setmqaut command, the OAM implements such changes immediately. Queue managers store authorization data on a local queue called SYSTEM.AUTH.DATA.QUEUE. This data is managed by amqzfuma
Migrating from MQSeries
All authorization data is migrated from the authorization files to the authorization queue the first time that you restart the queue manager after migrating from MQSeries. If the OAM detects a missing file:
- If the authorization applies to a single object, the OAM gives the mqm group (or Administrator on Windows systems) access to the object and continues with the migration. Message AMQ5528 is written to the queue manager's error log.
- If the authorization applies to a class of objects, the OAM stops the migration. The queue manager does not start until the file has been replaced.
Continuing to store authorization data in files
You can continue to store authorization data in files, but this affects the performance of the OAM. Storing authorization data on a local queue reduces the time needed to check an authorization. Furthermore, if you continue to store your authorization data in files, you cannot use generic profiles, limiting the flexibility with which you can apply authorizations. For information on the uses of generic profiles, see Using OAM generic profiles.
The default OAM service module is amqzfu on UNIX systems, or amqzfu.dll on Windows systems. WebSphere MQ also provides the previous service module as amqzfu0 (amqzfu0.dll). There are two ways in which you can use the previous module to continue to store authorization data in files:
- Modify the Module attribute in the ServiceComponent stanza of the qm.ini file (Registry entry on Windows systems) to use amqzfu0 (amqzfu0.dll). This option is possible only for queue managers created with a version of MQSeries before Version 5.2.
- Replace the amqzfu (amqzfu.dll) module by the previous version by:
- Removing the new amqzfu module
- Renaming amqzfu0 as amqzfu
You can restore the new amqzfu module from the copy provided as amqzfu1 (amqzfu1.dll).
Once you have created or restarted a queue manager with the new amqzfu module, you can no longer replace it with the previous version. The migration process is not reversible.
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.