User ID timeouts

When a user accesses a WebSphere MQ resource, the queue manager tries to sign this user on to the queue manager (if subsystem security is active). This means that the user is authenticated to the ESM. This user remains signed on to WebSphere MQ until either the queue manager is shut down, or until the user ID is "timed out" (the authentication lapses) or reverified (reauthenticated).

When a user is timed out, the user ID is "signed off" within the queue manager and any security-related information retained for this user is discarded. The signing on and off of the user within the queue manager is transparent to the application program and to the end user.

Users are eligible for time out when they have not used any WebSphere MQ resources for a predetermined amount of time. This time period is set by the MQSC ALTER SECURITY command. For a description of the command syntax, see WebSphere MQ Script (MQSC) Command Reference.

Two values can be specified in the ALTER SECURITY command:

TIMEOUT

The time period in minutes that an unused user ID and its associated resources can remain within the WebSphere MQ queue manager.

INTERVAL

The time period in minutes between checks for user IDs and their associated resources, to determine whether the TIMEOUT has expired.

For example, if the TIMEOUT value is 30 and the INTERVAL value is 10, every 10 minutes WebSphere MQ checks user IDs and their associated resources to determine whether any have not been used for 30 minutes. If a timed-out user ID is found, that user ID is signed off within the queue manager. If any timed-out resource information associated with non-timed out user IDs is found, that resource information is discarded. If you do not want to time-out user IDs, set the INTERVAL value to zero. However, if the INTERVAL value is zero, storage occupied by user IDs and their associated resources is not freed until you issue a REFRESH SECURITY or RVERIFY SECURITY MQSC command.

Tuning this value can be important if you have many one-off users. If you set small interval and timeout values, resources that are no longer required are freed.

Note:
If you use values for INTERVAL or TIMEOUT other than the defaults, reenter the command at every queue manager startup. We can do this automatically by putting the ALTER SECURITY command in the CSQINP1 data set for that queue manager.