Security considerations

You need to consider the following points when setting up authorities to the users in your enterprise:

1. Grant and revoke authorities to the WebSphere MQ for iSeries commands using the OS/400 GRTOBJAUT and RVKOBJAUT commands.

2. During installation of WebSphere MQ for iSeries the following special user profiles are created:

   QMQM

   Is used primarily for internal product-only functions. However, it can be used to run trusted applications using MQCNO_FASTPATH_BINDINGS; see the WebSphere MQ Application Programming Guide for further information.

   QMQMADM

   Is used as a group profile for administrators of WebSphere MQ. The group profile gives access to CL commands and WebSphere MQ resources.

3. If you are sending channel commands to remote queue managers, ensure that your user profile is a member of the group QMQMADM on the target system. For a list of PCF and MQSC channel commands, see Channel command security.

4. The group set associated with a user is cached when the group authorizations are computed by the OAM.

   Any changes made to a user's group memberships after the group set has been cached are not recognized until you restart the queue manager or execute RFRMQMAUT to refresh security.

5. Limit the number of users who have authority to work with commands that are particularly sensitive. These commands include:

   • Create Message Queue Manager (CRTMQM)

   • Delete Message Queue Manager (DLTMQM)

   • Start Message Queue Manager (STRMQM)

   • End Message Queue Manager (ENDMQM)

   • Start Command Server (STRMQMCSVR)

   • End Command Server (ENDMQMCSVR)

6. Channel definitions contain a security exit program specification. Channel creation and modification requires special considerations. Details of security exits is given in WebSphere MQ Intercommunication.

7. The channel exit and trigger monitor programs can be substituted. The security of such replacements is the responsibility of the programmer.