Access control

MCAUSER, MQ_USER_ID, environment variables" /> Access control

Home

Access control

Access control in WebSphere MQ is based upon the user identifier associated with the process making MQI calls. For WebSphere MQ clients, the process that issues the MQI calls is the server-connection MCA. The user identifiers used by the server-connection MCA are that contained in the
MCAUserIdentifier and LongMCAUserIdentifier fields of the MQCD. The contents of these fields are determined by:

Any values set by security exits
The user ID from the client
MCAUSER (in the server-connection channel definition)

Depending upon the combination of settings of the above, the user-identifier fields are set to appropriate values. If a server-connection security exit is provided, the user-identifier fields can be set by the exit. Otherwise they are determined as follows:

If the server-connection channel MCAUSER attribute is nonblank, this value is used.
If the server-connection channel MCAUSER attribute is blank, the user ID received from the client is used.

When the user-identifier fields are derived from the user ID that started the server-connection channel, the following value is used:

For z/OS, the user ID assigned to the channel initiator started task by the z/OS started procedures table. See the WebSphere MQ for z/OS System Setup Guide for more information.
For TCP/IP (non-z/OS), the user ID from the inetd.conf entry, or the user ID that started the listener.
For SNA (non-z/OS), the user ID from the SNA Server entry or (if there is none) the incoming attach request, or the user ID that started the listener.
For NetBIOS or SPX, the user ID that started the listener.

If any server-connection channel definitions exist that have the MCAUSER attribute set to blank, clients can use this channel definition to connect to the queue manager with access authority determined by the user ID supplied by the client. This might be a security exposure if the system on which the queue manager is running allows unauthorized network connections. The WebSphere MQ default server-connection channel (SYSTEM.DEF.SVRCONN) has the MCAUSER attribute set to blank. To prevent unauthorized access, update the MCAUSER attribute of the default definition with a user ID that has no access to WebSphere MQ objects.
When you define a channel with
runmqsc, the MCAUSER attribute is changed to uppercase unless the user ID is contained within single quotation marks.
For servers on UNIX systems and Windows, the content of the
MCAUserIdentifier field that is received from the client is changed to lowercase.
For servers on i5/OS, the content of the
LongMCAUserIdentifier field that is received from the client is changed to uppercase.
For servers on UNIX systems, the content of the
LongMCAUserIdentifier field that is received from the client is changed to lowercase.

Home