Security of IBM MQ for IBM i objects

This section deals with remote messaging aspects of security.

You must provide users with authority to make use of the IBM MQ for IBM i facilities. This authority is organized according to actions to be taken with respect to objects and definitions. For example:

Queue managers can be started and stopped by authorized users
Applications need to connect to the queue manager, and have authority to make use of queues
Message channels need to be created and controlled by authorized users

The message channel agent at a remote site must check that the message being delivered has derived from a user with authority to isue the message at this remote site. In addition, as MCAs can be started remotely, it might be necessary to verify that the remote processes trying to start your MCAs are authorized to do so. There are four possible ways for you to deal with this:

Decree in the channel definition that messages must contain acceptable context authority, otherwise they are discarded.
Implement channel authentication records to reject unwanted connection attempts, or to set an MCAUSER value based on one of the following: the remote IP address, the remote user ID, the TLS Distinguished Name (DN) provided, or the remote queue manager name.
Implement user exit security checking to ensure that the corresponding message channel is authorized. The security of the installation hosting the corresponding channel ensures that all users are properly authorized, so that we do not need to check individual messages.
Implement user exit message processing to ensure that individual messages are vetted for authorization.

Here are some facts about the way IBM MQ for IBM i operates security:

Users are identified and authenticated by IBM i.
Queue manager services invoked by applications are run with the authority of the queue manager user profile, but in the user's process.
Queue manager services invoked by user commands are run with the authority of the queue manager user profile.