Manage authorities for MFT-specific resources
For any file transfer request, the Managed File Transfer Agent processes require some level of access to their local file systems. In addition, both the user identifier associated with the agent process, and the user identifiers associated with users performing file transfer operations must have the authority to use certain IBM MQ objects.
Commands are issued by users, who might be in an operational role where they typically start a file transfer. Alternatively, they might be in an administrative role where they can additionally control when agents are created, started, deleted, or cleaned (that is, when messages from all agent system queues are removed). Messages containing command requests are placed on an agent's SYSTEM.FTE.COMMAND queue when a user issues a command. The agent process retrieves messages containing command requests from the SYSTEM.FTE.COMMAND queue. The agent process also uses four other system queues, which are as follows:
- SYSTEM.FTE.DATA.agent_name
- SYSTEM.FTE.EVENT.agent_name
- SYSTEM.FTE.REPLY.agent_name
- SYSTEM.FTE.STATE.agent_name
Because users issuing commands use the queues listed previously in different ways to the agent process, assign different IBM MQ authorities to the user identifiers or user groups associated with each. See Restricting group authorities for MFT-specific resources for more information.
The agent has additional queues that can be used to grant users the authority to perform certain actions. See Restricting user authorities on MFT agent actions for information about how to use the authority queues. The agent does not put or get messages on these queues. However, you must ensure that the queues are assigned the correct IBM MQ authorities both for the user identifier used to run the agent process as well as the user identifiers associated with users who are being authorized to perform certain actions. The authority queues are as follows:
- SYSTEM.FTE.AUTHADM1.agent_name
- SYSTEM.FTE.AUTHAGT1.agent_name
- SYSTEM.FTE.AUTHMON1.agent_name
- SYSTEM.FTE.AUTHOPS1.agent_name
- SYSTEM.FTE.AUTHSCH1.agent_name
- SYSTEM.FTE.AUTHTRN1.agent_name
If we are migrating from a version of Managed File Transfer earlier than Version 7.0.2 to IBM WebSphere MQ Version 7.5, or later, and are keeping existing agent configurations, we will need to create the authority queues manually. Use the following MQSC command to create the queues:
DEFINE QLOCAL(authority_queue_name) DEFPRTY(0) DEFSOPT(SHARED) GET(ENABLED) MAXDEPTH(0) + MAXMSGL(0) MSGDLVSQ(PRIORITY) PUT(ENABLED) RETINTVL(999999999) SHARE NOTRIGGER + USAGE(NORMAL) REPLACEThe agent process also publishes messages to the SYSTEM.FTE topic on the coordination queue manager using the SYSTEM.FTE queue. Depending on whether the agent process is in the role of the source agent or destination agent, the agent process might require authority to read, write, update, and delete files.
We can create and modify authority records for IBM MQ objects using the IBM MQ Explorer. Right-click the object and then click Object Authorities > Manage Authority Records. We can also create authority records using the setmqaut command, which is described at setmqaut (grant or revoke authority) command.
- Restricting group authorities for MFT-specific resources
Instead of granting authority to individual users for all of the various objects that might be involved, configure two security groups for the purposes of administering Managed File Transfer access control: FTEUSER and FTEAGENT. It is the responsibility of the IBM MQ administrator to create and populate these groups. The administrator can choose to extend or modify the proposed configuration described here.- Restricting user authorities on MFT agent actions
In addition to using groups to manage access to resources, we can enable an additional level of security to restrict the Managed File Transfer agent actions that a user can take. Grant authorities on an agent authority queue to a user to give the user permission to perform specific agent actions.- MFT permissions to access sensitive configuration information
Any file used to store sensitive configuration information, meaning any file referenced from the IBM MQ configuration tree, must not have system-wide read, write, or (where applicable), delete permissions. These restrictions also apply to truststore and keystore files.Parent topic: Managed File Transfer security reference
Related reference
- Restricting group authorities for MFT-specific resources
- Restricting user authorities on MFT agent actions
Related information