Set up the WebSphere MQ Explorer
Prerequisite software
Before you can use the WebSphere MQ Explorer, have the following installed on your computer:
- The Microsoft Management Console Version 1.1 or higher (installed as part of WebSphere MQ for Windows installation)
- Internet Explorer Version 4.01 (SP1) or later (installed as part of WebSphere MQ for Windows installation)
The WebSphere MQ Explorer can connect to remote queue managers using the TCP/IP communication protocol only.
Platforms and command levels include:
Platform Command level AIX and UNIX variants Command level 221 and above Windows systems Command level 201 and above The WebSphere MQ Explorer handles the differences in the capabilities between the different command levels and platforms. However, if it encounters a value that it does not recognize as an attribute for an object, you cannot change the value of that attribute.
Required definitions for administration
Ensure that you have satisfied the following requirements before trying to use the WebSphere MQ Explorer. Check that:
- A command server is running for any queue manager being administered.
- A suitable TCP/IP listener exists for every remote queue manager. This can be the WebSphere MQ listener or the inetd daemon as appropriate.
- The server-connection channel, called SYSTEM.ADMIN.SVRCONN, exists on every remote queue manager. This channel is mandatory for every remote queue manager being administered. Without it, remote administration is not possible.
You can create the channel using the following MQSC command:
DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN)This command creates a basic channel definition. If you want a more sophisticated definition (to set up security, for example), you need additional parameters.
Cluster membership
The WebSphere MQ Explorer needs to maintain up-to-date administration data about clusters so that it can communicate effectively with them and display correct cluster information when requested. In order to do this, the WebSphere MQ Explorer needs the following information from you:
- The name of a repository queue manager
- The connection name of the repository queue manager if it is on a remote queue manager
With this information, the WebSphere MQ Explorer can:
- Use the repository queue manager to obtain a list of queue managers in the cluster.
- Administer the queue managers that are members of the cluster and are on supported platforms and command levels.
Administration is not possible if:
- The chosen repository becomes unavailable. The WebSphere MQ Explorer does not switch to an alternative repository.
- The chosen repository cannot be contacted over TCP/IP.
- The chosen repository is running on a queue manager that is running on a platform and command level not supported by the WebSphere MQ Explorer.
The cluster members that can be administered can be local, or they can be remote if they can be contacted using TCP/IP. The WebSphere MQ Explorer connects to local queue managers that are members of a cluster directly, without using a client connection.
Security
If you are using WebSphere MQ in an environment where it is important for you to control user access to particular objects, you might need to consider the security aspects of using the WebSphere MQ Explorer.
Authorization to run the WebSphere MQ Explorer
Before the WebSphere MQ Explorer is enabled, :
- Ensure that chosen users have the correct level of authorization. This means being one of the following:
- A member of the mqm group
- A member of the Administrators group on the machine running the WebSphere MQ Explorer
Group membership at logon time is used for authorization purposes. If you change the membership so that a user can access the WebSphere MQ Explorer, that user must log off and log back on again.
Security for connecting to remote queue managers
The WebSphere MQ Explorer connects to remote queue managers as an MQI client application. This means that each remote queue manager must have a definition of a server-connection channel and a suitable TCP/IP listener. If you do not specify a nonblank value for the MCAUSER attribute of the channel, or use a security exit, it is possible for a malicious application to connect to the same server connection channel and gain access to the queue manager objects with unlimited authority.
The default value of the MCAUSER attribute is a blank. If you specify a nonblank user name as the MCAUSER attribute of the server connection channel, all programs connecting to the queue manager using this channel run with the identity of the named user and have the same level of authority.
Using a security exit
A more flexible approach is to install a security exit on the server-connection channel SYSTEM.ADMIN.SVRCONN on each queue manager that is to be administered remotely.
Data conversion
When the connection to a queue manager is established, the queue manager's CCSID is also established. This enables the WebSphere MQ Explorer to perform any character set conversions needed to display the data from remote queue managers correctly.
The tables for converting from the UNICODE CCSID to the queue manager CCSID (and vice versa) must be available to the WebSphere MQ Explorer machine otherwise the WebSphere MQ Explorer cannot communicate with the queue manager.
An error message is issued if you try to establish a connection between the WebSphere MQ Explorer and a queue manager with a CCSID that the WebSphere MQ Explorer does not recognize.
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.
AIX is a trademark of the IBM Corporation in the United States, other countries, or both.