Channel security

 

The user IDs associated with message channel agents (MCAs) need authority to access various WebSphere MQ resources.

An MCA must be able to connect to a queue manager and open the dead letter queue. If it is a sending MCA, it must be able to open the transmission queue for the channel. If it is a receiving MCA, it must be able to open destination queues and set context information in the messages it puts on those queues.

If the PUTAUT parameter is set to CTX (or ALTMCA on z/OS) in the channel definition at the receiving end of a channel, the user ID in the UserIdentifier field in the message descriptor of each incoming message needs authority to open the destination queue for the message. In addition, the user ID associated with the receiving MCA needs alternate user authority to open the destination queue using the authority of a different user ID.

On an MQI channel, the user ID associated with the server connection MCA needs authority to issue MQI calls on behalf of the client application.

The user ID that is used for authority checks depends on whether the MCA is connecting to a queue manager or accessing queue manager resources after it has connected to a queue manager:

The user ID for connecting to a queue manager

On i5/OS, UNIX systems, and Windows systems, the user ID whose authority is checked when an MCA connects to a queue manager is the one under which the MCA is running. This is known as the default user ID of the MCA. The default user ID might be derived in various ways. Here are some examples:

  • If a caller MCA is started by a channel initiator, the MCA runs under the same user ID as that of the channel initiator. This user ID might be derived in various ways. For example, if the channel initiator is started by using the WebSphere MQ Explorer, it runs under the MUSER_MQADMIN user ID. This user ID is created when you install WebSphere MQ for Windows and is a member of the mqm group.

  • If a responder MCA is started by a WebSphere MQ listener, the MCA runs under the same user ID as that of the listener.

  • If the communications protocol for the channel is TCP/IP and a responder MCA is started by the inet daemon, the MCA runs under the user ID obtained from the entry in the inetd.conf file that was used to start the MCA.

  • If the communications protocol for the channel is SNA LU 6.2, a responder MCA might run under the user ID contained in the inbound attach request, or under the user ID specified in the transaction program (TP) definition for the MCA.

After an MCA has connected to a queue manager, it accesses certain queue manager resources as part of its initialization processing. The default user ID of the MCA is also used for the authority checks when it opens these resources. To enable the MCA to access these resources, ensure that the default user ID is a member of the QMQMADM group on i5/OS, the mqm group on UNIX and Windows systems, or the Administrators group on Windows systems.

On z/OS, every task in the channel initiator address space that needs to connect to the queue manager does so when the channel initiator address space is started. This includes the dispatcher tasks that run as MCAs. The channel initiator address space user ID is used to check the authority of a task to connect to the queue manager.

The user ID for subsequent authority checks

After an MCA has connected to a queue manager, the user ID whose authority is checked when the MCA accesses queue manager resources subsequently might be different from the one that was checked when the MCA connected to the queue manager. In addition, on z/OS, zero, one, or two user IDs might be checked, depending on the access level of the channel initiator address space user ID to the RESLEVEL profile. Here are some examples of other user IDs that might be used:

  • The value of the MCAUSER parameter in the channel definition

  • For a receiving MCA, the user ID in the UserIdentifier field in the message descriptor of each incoming message, if the PUTAUT parameter is set to CTX (or ALTMCA on z/OS) in the channel definition at the receiving end of a channel

  • For a server connection MCA, the user ID that is received from a client system when a WebSphere MQ client application issues an MQCONN call

The user ID actually used is displayed on the channel status.

On z/OS, the channel initiator address space user ID needs authority to open certain system queues, such as SYSTEM.CHANNEL.INITQ, independently of the MCAs that are running in the address space.

For more information about channel security, see:

 

Parent topic:

Access control


sy10910_