Authority to publish MFT Agents log and status messages
Managed File Transfer Agents issue various log, progress, and status messages that are published on the coordination queue manager. The publication of these messages is subject to the IBM MQ security model, and in some cases you might have to perform further configuration to enable publication.
For more information about IBM MQ security, see the section starting with Securing IBM MQ.
Managed File Transfer agents flow messages for publication to the SYSTEM.FTE queue on the coordination queue manager. Each message carries a user ID in its message descriptor (MQMD). Messages are published using a topic object that is also called SYSTEM.FTE. For the publication of a given message to take place, the authority records of the SYSTEM.FTE topic must permit publication by the user ID contained in the MQMD of the message.
On z/OS, the channel initiator user ID needs access to publish to the SYSTEM.FTE topic. The user ID in the MQMD of the message also needs access to publish to this topic if the RESLEVEL security profile causes two user IDs to be checked for the channel initiator connection.
The user ID initially contained in the message depends on how the agent is connected to its own queue manager. Messages from bindings-connected agents contain the user ID that the agent is running under. Messages from client-connected agents contain an internal IBM MQ user ID.
We can change the user ID in a message. For both client- and bindings-connected agents, we can use the property publicationMDUser (in the agent.properties file) to specify a user ID, which is used in all log and status messages from that agent. The agent must be given permission by its own queue manager to use this alternative user ID; give this permission by granting setid authority to the user ID that the agent runs under.
You can also change the user ID contained in all messages from a client-connected agent using the MCAUSER property on the channel that the agent uses to connect to its queue manager.
We can change the user ID in messages using a channel exit, for example on the receiver channel bringing messages into the coordination queue manager.
Depending on the IBM MQ topology and policies, there are a number of ways an IBM MQ administrator can use the information in this topic to ensure that the publication of status and log messages takes place. Two examples are:- Determine all the user IDs used by agents in the network. Explicitly grant an authority record for each of these IDs.
- Create one or more common user names to publish log and status messages. Create authority records for these user names on the coordination queue manager. Set the publicationMDUser property for each agent to a common user name. On each agent queue manager, grant setid authority to the user ID that the agent runs under to allow it to accept the publicationMDUser property.
Parent topic: Managed File Transfer security reference