processes, namelists, alternate user security, context security" /> API-resource security

 

API-resource security

Resources are checked when an application opens an object with an MQOPEN or an MQPUT1 call. The access needed to open an object depends on what open options are specified when the queue is opened.

API-resource security is subdivided into the following checks:

No security checks are performed when opening the queue manager object or when accessing storage class objects.

 

Queue security

Queue security checking controls who is allowed to open which queue, and what options they are allowed to open it with. For example, a user might be allowed to open a queue called PAYROLL.INCREASE.SALARY to browse the messages on the queue (using the MQOO_BROWSE option), but not to remove messages from the queue (using one of the MQOO_INPUT_* options). If you turn checking for queues off, any user can open any queue with any valid open option (that is, any valid MQOO_* option on an MQOPEN or MQPUT1 call).

We can turn queue security checking on or off at either queue manager or queue-sharing group level.

 

Process security

Process security checking is carried out when a user opens a process definition object. If you turn checking for processes off, any user can open any process.

We can turn process security checking on or off at either queue manager or queue-sharing group level.

 

Namelist security

Namelist security checking is carried out when a user opens a namelist. If you turn checking for namelists off, any user can open any namelist.

We can turn namelist security checking on or off at either queue manager or queue-sharing group level.

 

Alternate user security

Alternate user security controls whether one user ID can use the authority of another user ID to open a WebSphere MQ object.

For example:

The alternate user ID is specified in the AlternateUserId field of the object descriptor (MQOD).

We can use alternate user IDs on any WebSphere MQ object, for example, processes or namelists. It does not affect the user ID used by any other resource managers, for example, for CICS security or for z/OS data set security.

If alternate user security is not active, any user can use any other user ID as an alternate user ID.

We can turn alternate user security checking on or off at either queue manager or queue-sharing group level.

 

Context security

Context is information that is applicable to a particular message and is contained in the message descriptor (MQMD) that is part of the message. The context information comes in two sections:

Identity section

The user of the application that first put the message to a queue. It consists of the following fields:

Origin section

The application that put the message on the queue where it is currently stored. It consists of the following fields:

  • PutApplType

  • PutApplName

  • PutDate

  • PutTime

  • ApplOriginData

Applications can specify the context data when either an MQPUT or an MQPUT1 call is made. The application might generate the data, the data might be passed on from another message, or the queue manager might generate the data by default. For example, server programs can use context data to check the identity of the requester, that is, did this message come from the correct application? Typically, the UserIdentifier field is used to determine the user ID of an alternate user.

You use context security to control whether the user can specify any of the context options on any MQOPEN or MQPUT1 call. For information about the context options, see the WebSphere MQ Application Programming Guide; for descriptions of the message descriptor fields relating to context, see the WebSphere MQ Application Programming Reference manual.

If you turn context security checking off, any user can use any of the context options that the queue security allows.

We can turn context security checking on or off at either queue, queue manager or queue-sharing group level.