Home
Stopping unauthorized queue managers putting messages on your queues
To prevent certain queue managers from putting messages on a queue, use the security facilities available on your platform. For example:
- RACF or other external security managers on WebSphere MQ for z/OS
- The Object Authority Manager (OAM) on WebSphere MQ for iSeries, WebSphere MQ on UNIX systems, and WebSphere MQ for Windows, and on MQSeries for Compaq Tru64 UNIX, V5.1, MQSeries for Compaq OpenVMS Alpha, V5.1, and MQSeries for Compaq NonStop Kernel, V5.1
In addition, we can use the PUT authority (PUTAUT) attribute on the CLUSRCVR channel definition. The PUTAUT attribute allows you to specify what user IDs are to be used to establish authority to put a message to a queue. The options on the PUTAUT attribute are:
- DEF
- Use the default user ID. On z/OS this might involve using both the user ID received from the network and that derived from MCAUSER.
- CTX
- Use the user ID in the context information associated with the message. On z/OS this might involve using either the user ID received from the network, or that derived from MCAUSER, or both. Use this option if the link is trusted and authenticated.
- ONLYMCA (z/OS only)
- As for DEF, but any user ID received from the network will not be used. Use this option if the link is not trusted and you want to allow only a specific set of actions on it, which are defined for the MCAUSER.
- ALTMCA (z/OS only)
- As for CTX, but any user ID received from the network will not be used.
For more information about using the PUTAUT attribute on a channel definition, see the WebSphere MQ Intercommunications book or see the WebSphere MQ Script (MQSC) Command Reference book.
As with any other transmission queue, applications cannot put messages directly to SYSTEM.CLUSTER.TRANSMIT.QUEUE without special authorization.
Parent topic:
Keeping clusters secure
qc11420_
Home