How switches work

To set a security switch off, we need to define a NO.* switch profile for it. The existence of a NO.* profile means that security checks are not performed for that type of resource, unless you choose to override a queue-sharing group level setting on a particular queue manager. This is described in Overriding queue-sharing group level settings.

If your queue manager is not a member of a queue-sharing group, you do not need to define any queue-sharing group level profiles or any override profiles. However, remember to define these profiles if the queue manager joins a queue-sharing group at a later date.

Each NO.* switch profile that WebSphere MQ detects turns off the checking for that type of resource. Switch profiles are activated during startup of the queue manager. If you change the switch profiles while any affected queue managers are running, we can get WebSphere MQ to recognize the changes by issuing the WebSphere MQ REFRESH SECURITY command.

The switch profiles must always be defined in the MQADMIN class. Do not define them in the GMQADMIN class. Tables Table 32 through Table 38 show the valid switch profiles and the security type they control.

 

Overriding queue-sharing group level settings

We can override queue-sharing group level security settings for a particular queue manager that is a member of that group. If you want to perform queue manager checks on an individual queue manager that are not performed on other queue managers in the group, use the (qmgr-name.YES.*) switch profiles.

Conversely, if you do not want to perform a certain check on one particular queue manager within a queue-sharing group, define a (qmgr-name.NO.*) profile for that particular resource type on the queue manager, and do not define a profile for the queue-sharing group. (WebSphere MQ only checks for a queue-sharing group level profile if it does not find a queue manager level profile.)