Profiles to control queue-sharing group or queue manager level security

When WebSphere MQ has determined that security checking is required, it then determines whether checking is required at queue-sharing group or queue manager level, or both. These checks are not performed if your queue manager is not a member of a queue sharing group.

The following switch profiles are checked to determine the level required. Figure 27 and Figure 28 show the order in which they are checked.

Table 33. Switch profiles for queue-sharing group or queue manager level security

Switch profile name	Type of resource or checking that is controlled
qmgr-name.NO.QMGR.CHECKS	No queue manager level checks for this queue manager
qsg-name.NO.QMGR.CHECKS	No queue manager level checks for this queue-sharing group
qmgr-name.YES.QMGR.CHECKS	Queue manager level checks override for this queue manager
qmgr-name.NO.QSG.CHECKS	No queue-sharing group level checks for this queue manager
qsg-name.NO.QSG.CHECKS	No queue-sharing group level checks for this queue-sharing group
qmgr-name.YES.QSG.CHECKS	Queue-sharing group level checks override for this queue manager

If subsystem security is active, we cannot switch off both queue-sharing group and queue manager level security. If you try to do this, WebSphere MQ sets security checking on at both levels.

Figure 27. Checking for queue manager level security

Figure 28. Checking for queue-sharing group level security

 

Valid combinations of switches

Table 34, Table 35, Table 36, and Table 37 show the sets of combinations of switch settings that are valid for each type of security level. If you use a combination of switch settings that is not valid, message CSQH026I is issued and security checking is set on at both queue-sharing group and queue manager level.

Table 34. Valid security switch combinations for queue manager level security

qmgr-name.NO.QSG.CHECKS

qsg-name.NO.QSG.CHECKS

qmgr-name.NO.QSG.CHECKS qsg-name.NO.QMGR.CHECKS qmgr-name.YES.QMGR.CHECKS

qsg-name.NO.QSG.CHECKS qsg-name.NO.QMGR.CHECKS qmgr-name.YES.QMGR.CHECKS

Table 35. Valid security switch combinations for queue-sharing group level security

qmgr-name.NO.QMGR.CHECKS

qsg-name.NO.QMGR.CHECKS

qmgr-name.NO.QMGR.CHECKS qsg-name.NO.QSG.CHECKS qmgr-name.YES.QSG.CHECKS

qsg-name.NO.QMGR.CHECKS qsg-name.NO.QSG.CHECKS qmgr-name.YES.QSG.CHECKS

Table 36. Valid security switch combinations for queue manager and queue-sharing group level security

qsg-name.NO.QMGR.CHECKS qmgr-name.YES.QMGR.CHECKS No QSG.* profiles defined

No QMGR.* profiles defined qsg-name.NO.QSG.CHECKS qmgr-name.YES.QSG.CHECKS

qsg-name.NO.QMGR.CHECKS qmgr-name.YES.QMGR.CHECKS qsg-name.NO.QSG.CHECKS qmgr-name.YES.QSG.CHECKS

No profiles for either switch defined

Table 37. Other valid security switch combinations that switch both levels of checking on.

qmgr-name.NO.QMGR.CHECKS qmgr-name.NO.QSG.CHECKS

qsg-name.NO.QMGR.CHECKS qsg-name.NO.QSG.CHECKS

qmgr-name.NO.QMGR.CHECKS qsg-name.NO.QSG.CHECKS

qsg-name.NO.QMGR.CHECKS qmgr-name.NO.QSG.CHECKS