Other things to consider
Here are some other topics that consider when preparing WebSphere MQ for distributed queue management.
Undelivered-message queue
It is advisable that you have an application available to process the messages arriving on the undelivered-message queue (also known as the dead-letter queue or DLQ). The program could be triggered, or run at regular intervals. For more details, see the WebSphere MQ for iSeries System Administration and the WebSphere MQ Application Programming Guide.
Queues in use
MCAs for receiver channels may keep the destination queues open even when messages are not being transmitted; this results in the queues appearing to be "in use".
Maximum number of channels
You can specify the maximum number of channels allowed in your system and the maximum number that can be active at one time. You do this in the qm.ini file in directory QIBM/UserData/mqm/qmgrs/queue manager name. See Appendix C, Configuration file stanzas for distributed queuing.
Security of WebSphere MQ for iSeries objects
This section deals with remote messaging aspects of security.
You need to provide users with authority to make use of the WebSphere MQ for iSeries facilities, and this is organized according to actions to be taken with respect to objects and definitions. For example:
- Queue managers can be started and stopped by authorized users
- Applications need to connect to the queue manager, and have authority to make use of queues
- Message channels need to be created and controlled by authorized users
The message channel agent at a remote site needs to check that the message being delivered has derived from a user with authority to do so at this remote site. In addition, as MCAs can be started remotely, it may be necessary to verify that the remote processes trying to start your MCAs are authorized to do so. There are three possible ways for you to deal with this:
- Decree in the channel definition that messages must contain acceptable context authority, otherwise they will be discarded.
- Implement user exit security checking to ensure that the corresponding message channel is authorized. The security of the installation hosting the corresponding channel ensures that all users are properly authorized, so that you do not need to check individual messages.
- Implement user exit message processing to ensure that individual messages are vetted for authorization.
Here are some facts about the way WebSphere MQ for iSeries operates security:
- Users are identified and authenticated by OS/400.
- Queue manager services invoked by applications are run with the authority of the queue manager user profile, but in the user's process.
- Queue manager services invoked by user commands are run with the authority of the queue manager user profile.
System extensions and user-exit programs
A facility is provided in the channel definition to allow extra programs to be run at defined times during the processing of messages. These programs are not supplied with WebSphere MQ for iSeries, but may be provided by each installation according to local requirements.
In order to run, such programs must have predefined names and be available on call to the channel programs. The names of the exit programs are included in the message channel definitions.
There is a defined control block interface for handing over control to these programs, and for handling the return of control from these programs.
The precise places where these programs are called, and details of control blocks and names, are to be found in Part 7, Further intercommunication considerations.
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.