Security and remote queues
When a message is put on a remote queue, the queue security that is performed by the local queue manager depends on how the remote queue is specified when it is opened. For example:
- If the remote queue has been defined on the local queue manager through the WebSphere MQ DEFINE QREMOTE command, the queue that is checked is the name of the remote queue. For example, if a remote queue is defined on queue manager MQS1 as follows:
DEFINE QREMOTE(BANK7.CREDIT.REFERENCE) RNAME(CREDIT.SCORING.REQUEST) RQMNAME(BNK7) XMITQ(BANK1.TO.BANK7)In this case, a profile for BANK7.CREDIT.REFERENCE, must be defined in the MQQUEUE class.
- If the ObjectQMgrName for the request does not resolve to the local queue manager, a security check is carried out against the resolved (remote) queue manager name except in the case of a cluster queue where the check is made against the cluster queue name.
For example, the transmission queue BANK1.TO.BANK7 is defined on queue manager MQS1. An MQPUT1 request is then issued on MQS1 specifying ObjectName as BANK1.INTERBANK.TRANSFERS and an ObjectQMgrName of BANK1.TO.BANK7. In this case, the user performing the request must have access to BANK1.TO.BANK7.
- If you make an MQPUT request to a queue and specify ObjectQMgrName as the name of an alias of the local queue manager, only the queue name is checked for security, not that of the queue manager.
When the message gets to the remote queue manager it might be subject to additional security processing. For more information, see the WebSphere MQ Intercommunication manual.