Channel security

 


Overview

The user IDs associated with message channel agents (MCAs) need authority to access various WebSphere MQ resources.

An MCA must be able to connect to a queue manager and open the dead letter queue. If it is a sending MCA, it must be able to open the transmission queue for the channel. If it is a receiving MCA, it must be able to open destination queues and set context information in the messages it puts on those queues.

If the PUTAUT parameter is set to CTX (or ALTMCA on z/OS) in the channel definition at the receiving end of a channel, the user ID in the UserIdentifier field in the message descriptor of each incoming message needs authority to open the destination queue for the message. In addition, the user ID associated with the receiving MCA needs alternate user authority to open the destination queue using the authority of a different user ID.

On an MQI channel, the user ID associated with the server connection MCA needs authority to issue MQI calls on behalf of the client application.

The user ID that is used for authority checks depends on whether the MCA is connecting to a queue manager or accessing queue manager resources after it has connected to a queue manager:

  1. The user ID for connecting to a queue manager

    The user ID whose authority is checked when an MCA connects to a queue manager is the one under which the MCA is running.

    This is known as the default user ID of the MCA. The default user ID might be derived in various ways. Here are some examples:

    • If a caller MCA is started by a channel initiator, the MCA runs under the same user ID as that of the channel initiator. This user ID might be derived in various ways.

      For example, if the channel initiator is started by using the WebSphere MQ Services snap-in on Windows systems, it runs under the MUSER_MQADMIN user ID. This user ID is created when you install WebSphere MQ for Windows and is a member of the mqm group.

    • If a responder MCA is started by a WebSphere MQ listener, the MCA runs under the same user ID as that of the listener.

    • If the communications protocol for the channel is TCP/IP and a responder MCA is started by the inet daemon, the MCA runs under the user ID obtained from the entry in the inetd.conf file that was used to start the MCA.

    • If the communications protocol for the channel is SNA LU 6.2, a responder MCA might run under the user ID contained in the inbound attach request, or under the user ID specified in the transaction program (TP) definition for the MCA.

    After an MCA has connected to a queue manager, it accesses certain queue manager resources as part of its initialization processing. The default user ID of the MCA is also used for the authority checks when it opens these resources. To enable the MCA to access these resources, ensure that the default user ID is a member of the QMQMADM group on OS/400, the mqm group on UNIX and Windows systems, or the Administrators group on Windows systems.

    On z/OS, every task in the channel initiator address space that needs to connect to the queue manager does so when the channel initiator address space is started. This includes the dispatcher tasks that run as MCAs. The channel initiator address space user ID is used to check the authority of a task to connect to the queue manager.

  2. The user ID for subsequent authority checks

    After an MCA has connected to a queue manager, the user ID whose authority is checked when the MCA accesses queue manager resources subsequently might be different from the one that was checked when the MCA connected to the queue manager.

    In addition, on z/OS, zero, one, or two user IDs might be checked, depending on the access level of the channel initiator address space user ID to the RESLEVEL profile. Here are some examples of other user IDs that might be used:

    • The value of the MCAUSER parameter in the channel definition

    • For a receiving MCA, the user ID in the UserIdentifier field in the message descriptor of each incoming message, if the PUTAUT parameter is set to CTX (or ALTMCA on z/OS) in the channel definition at the receiving end of a channel

    • For a server connection MCA, the user ID that is received from a client system when a WebSphere MQ client application issues an MQCONN call

Access to channels, channel initiators, listeners, and clusters is not controlled by the OAM. This means that the authority to use PCF commands such as:

is not checked by the OAM. Instead, the user ID in the UserIdentifier field in the message descriptor of a PCF command must be a member of the QMQMADM group, if the command is processed on OS/400, or a member of the mqm group, if the command is processed on a UNIX or Windows system. Alternatively, on OS/400, the user ID can have *ALLOBJ authority and, on Windows systems, the user ID can be a member of the Administrators group. The equivalent MQSC commands encapsulated within an Escape PCF commands are treated in the same way.

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.