IBM App Connect Enterprise, Version 11.0.0.2 Operating Systems: Windows, Linux


Security requirements for Linux platforms

View a summary of the authorizations in a Linux environment.

You must add the required user IDs to the appropriate group to enable them to complete the relevant tasks.

Note: If you have enabled administration security, you must also set the permissions that are detailed in Tasks and authorizations for administration security.
Task Command Authorization
Create an integration node

mqsicreatebroker command

  • Member of mqbrkrs.
  • If administration security is made active, and if the authorization mode is mq, the user ID that runs this command must be a member of the mqm group. If you do not want to run with mqm authority, you must work with your IBM® MQ administrator to create or delete the appropriate authority queue prior to running the command. For information about creating the system queues, see Creating the default system queues on a WebSphere MQ queue manager.
  • If you use the mqsicreatebroker command with the -d parameter (to configure the integration node to start and stop with the queue manager that is associated with the integration node), the user ID that runs the command must be a member of the mqm group.
Delete an integration node

mqsideletebroker command

  • Member of mqbrkrs.
Add or remove an integration node instance

mqsiaddbrokerinstance command

mqsiremovebrokerinstance command

  • Member of mqbrkrs.
  • Make the uid and gid for this user ID the same on all the systems, and the user ID needs to be the same one that created the first instance of the multi-instance integration node, using the mqsicreatebroker command.
  • Change the uid and gid with caution, as it affects the permission levels of files on the system. Changing a uid or gid causes the ownership of all the files previously owned by that user or group to change to the integer of the previous owner of the file. Therefore, you must ensure that your system administrator manually restores the ownerships of the affected files and directories.
Start an integration node, or verify an integration node

mqsistart command

mqsicvp command

  • Member of mqbrkrs.
Stop an integration node

mqsistop command

  • Member of mqbrkrs. However, the root user ID can stop an integration node without membership of mqbrkrs.
  • The user ID must be the same as the user ID that started the integration node.
Create an integration server

mqsicreateexecutiongroup command

  • Member of mqbrkrs.
  • If administration security is active, and if the authorization mode is mq, the user ID that the integration node runs under must be a member of the group mqm. If you do not want your integration node to run with mqm authority, you must work with your WebSphere MQ administrator to create or delete the appropriate authority queue when you create or delete an integration server.
Delete an integration server

mqsideleteexecutiongroup command

  • Member of mqbrkrs.
Configure integration servers to connect to IBM Cloud services

mqsichangebluemixreporting command

  • Member of mqbrkrs.
Report the current status and configuration of the IBM Cloud reporting function for integration servers

mqsireportbluemixreporting command

  • Member of mqbrkrs.
List integration nodes

mqsilist command

  • Member of mqbrkrs.
Show integration node properties

mqsireportproperties command

  • Member of mqbrkrs.
Change properties

mqsichangeproperties command

  • Member of mqbrkrs.
Set and update passwords

mqsisetdbparms command

  • Member of mqbrkrs.
List set parameters that are on an integration node

mqsireportdbparms command

  • Member of mqbrkrs.
Report or update an integration node mode

mqsimode command

  • Member of mqbrkrs.
Deploy an object to an integration node

mqsideploy command

  • Member of mqbrkrs.
Reload an integration node, integration servers or security

mqsireload command

  • Member of mqbrkrs.
Trace an integration node

mqsichangetrace command

  • Member of mqbrkrs.
Add the mqbrkrs group

mqsisetsecurity command

  • Root user.
Package a BAR file

mqsipackagebar command

  • Member of mqbrkrs.
  • The user ID must have WRITE access to the -w (root location), -a (BAR file location), and -v (trace file location) directories.
Create or modify a web user account

mqsiwebuseradmin command

  • Member of mqbrkrs.
Change the administration security authorization mode

mqsichangeauthmode command

  • Member of mqbrkrs
  • If administration security is made active, and if the authorization mode is mq, the user ID that runs this command must be a member of the mqm group. If you do not want to run with mqm authority, you must work with your WebSphere MQ administrator to create or delete the appropriate authority queue prior to running the command. For information about creating the system queues, see Creating the default system queues on a WebSphere MQ queue manager.
Show the current administration security authorization mode

mqsireportauthmode command

  • Member of mqbrkrs.
Change file-based permissions

mqsichangefileauth command

  • Member of mqbrkrs.
Show the current file-based permissions

mqsireportfileauth command

  • Member of mqbrkrs.
User is... Command Used Local domain (WORKSTATION)
Running an integration node (WebSphere® MQ non-trusted application) (login ID).
  • Not applicable
  • Member of mqbrkrs.
  • The integration node runs under the login ID that started it.
Running an integration node (WebSphere MQ trusted application) (login ID).
  • Not applicable
  • Login ID must be mqm.
  • mqm must be a member of mqbrkrs.
Running an integration node (WebSphere MQ fast path on) (service user ID)
  • Not applicable
  • Member of mqbrkrs.
  • Member of mqm.

Ensure that mqbrkrs has access to all user-defined queues that you have defined for use by your message flows.

If you are using file-based administration security, use the mqsichangefileauth command to set permissions. If you are using queue-based security, you can use the setmqaut command.

If you are using queue-based security, complete the following steps:
  • Set the following permissions on all input queues:
    setmqaut -m INODE -n TEST_INPUT -t queue -g mqbrkrs  +get +inq
  • Set the following permissions on all output queues:
    setmqaut -m INODE -n TEST_OUTPUT -t queue -g mqbrkrs +put +inq +setall
  • You might also need to add +passid +passall +setid +setall, depending on your requirements.

ap08682_.htm | Last updated 2018-11-02 14:46:01