Configure authorization service stanzas on Windows
On IBM MQ for Windows each queue manager has its own stanza in the registry.
The Service stanza and the ServiceComponent stanza for the default authorization component are added to the Registry automatically, but can be overridden using mqsnoaut. Any other ServiceComponent stanzas must be added manually.
We can also add the SecurityPolicy attribute using the IBM MQ services. The SecurityPolicy attribute applies only if the service specified on the Service stanza is the authorization service, that is, the default OAM. The SecurityPolicy attribute allows you to specify the security policy for each queue manager. The possible values are:
- Default
- Specify Default if you want the default security policy to take effect. If a Windows security identifier (NT SID) is not passed to the OAM for a particular user ID, an attempt is made to obtain the appropriate SID by searching the relevant security databases.
- NTSIDsRequired
- Requires that an NT SID is passed to the OAM when performing security checks.
For information about the Service stanza format, see Service stanza format. For more general information about security, see Set up security on Windows, UNIX and Linux systems.
The service component stanza, MQSeries.WindowsNT.auth.service defines the default authorization service component, the OAM. If you remove this stanza and restart the queue manager, the OAM is disabled and no authorization checks are made.