WebSphere Message Broker, Version 8.0.0.7 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Authorizing access to user databases

When you have created a user database, you must authorize the broker and its execution groups to access it.

Before you start: create the databases.

Use the mqsisetdbparms command to specify a user ID and password that the broker can use to access each database. If you want to define a default user ID and password that the broker can use if you have not defined specific values for a particular database, run the mqsisetdbparms command and set the ResourceName to the value dsn::DSN with your chosen default user ID and password.

If you have migrated your broker from a previous release, the broker accessed a database for its own use, and you might have defined the user ID and password used to access that database by specifying a database connection user ID and password with the -u and -p parameters on the mqsicreatebroker command. Alternatively, you might have used the broker service user ID and its password (specified with the -i and -a parameters on the same command). When you migrate the broker, these parameters are migrated and stored, and are used by the migrated broker for access to databases that do not have specific ID access defined.

The following values and order of preference are used by the broker:

  1. First, on all platforms: The user ID and password that you have set for the specific database, by using the mqsisetdbparms and specifying the database in the -n parameter.
  2. Second, on all platforms: The user ID and password that you have set for all other databases, by using the mqsisetdbparms and specifying dsn::DSN in the -n parameter.
  3. Third, the values are platform-specific:
    1. Windows platformOn Windows: The broker service ID and password that you specified on the mqsicreatebroker command.
    2. Linux platformUNIX platformOn Linux and UNIX: The user ID mqsiUser and password ******** (these values are fixed).
    3. z/OS platformOn z/OS®: The user ID "" and password "", which cause the connection to be made with the broker started task user ID.

On z/OS only, if you do not specify a password when you specify dsn::DSN in the -n parameter, the broker connects to the DB2® database with its started task user ID. The broker uses the user ID that you have specified on the command when it creates a fully-qualified SQL statement, such as in ESQL, for stored procedures. For non-stored procedure SQL statements, where the schema is not specified, DB2 uses the CURRENTSQLID value. If you have not specified a CURRENTSQLID value, the broker uses the user ID that you specified on the mqsisetdbparms command. If you have not provided a user ID by using that command, DB2 uses the broker started task ID. If you want to check what user ID you set, or test that the password for a specific user ID is what you expect, you can use the mqsireportdbparms command.

The user ID that the broker uses to access databases must have the following authorizations:
  • The user ID must be authorized to connect to the database.
  • The user ID must have appropriate privileges on the user database objects that are accessed by the message flow; for example, tables, procedures, and indexes.

If you expect to deploy message flows that participate in globally coordinated transactions to a broker, you must provide additional authorization. For more information, see Configuring databases for global coordination of transactions.

The way that you authorize access depends on the database manager that you are using, and the platform on which you have created the database. The instructions might also vary from release to release of a single database. Consult your database administrator, or see the documentation for the appropriate database when you perform this task.

The following sections provide examples of the steps that you can take to provide the required authorization for specific databases:

DB2 authorization

To authorize access to a DB2 database, you can use either the DB2 Control Center or the DB2 command line:

  • To use the DB2 Control Center:
    1. Start the DB2 Control Center.
    2. Expand the object tree until you find the database that you created.
    3. Expand the tree under the database then click the User and Group Objects folder. The DB Users and DB Groups folders are displayed in the right pane.
    4. In the right pane, right-click the DB Users folder then click Add. The Add User notebook opens.
    5. From the list, click the user ID that you want to authorize to access the database (for example, mqsiuid). The user ID that you select must be the user ID that you specify to be used for access to this database when you run the mqsisetdbparms command. The user ID must exist on the operating system before you can select it; if it does not exist, define the user ID on the operating system.
    6. Select the appropriate options from the choices in the dialog box that is labeled Choose the appropriate authorities to grant to the selected user for the database. The following options are available:
      • Connect database
      • Create tables
      • Create packages
      • Register functions to run in database manager process
    7. Click OK. The authorities are granted. The dialog box closes.
    8. Close the DB2 Control Center.
  • To use the DB2 command line:
    1. Open a DB2 command window.
    2. Connect to the database with a user ID that has DB2 system administration (SYSADM or DBADM) authority. Substitute the correct database and ID in the following example command:
      db2 connect to broker_db user SysAd_id
    3. Run the following command to grant the required privileges to the user ID that the broker will use to connect to the database. Substitute the correct ID for your broker in the following example command, if you are not using mqsiuid:
      db2 grant connect, createtab, bindadd, create_external_routine on 
         database to user mqsiuid
Next: If you have been following the instructions in Working with databases, the next task is Configuring databases for global coordination of transactions.

Oracle authorization

You must have database administrator (DBA) privileges to authorize access to an Oracle database.

To authorize access to an Oracle database:

  1. Log on as the Oracle database administrator (DBA) to the database using SQL*Plus.
  2. Modify the privileges of the user ID that you have specified for database connection to ensure that the broker can successfully access the database.
  3. If appropriate, increase the quota (disk space) available for table spaces associated with this database.
Next: If you have been following the instructions in Working with databases, the next task is Configuring databases for global coordination of transactions.
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2016Copyright IBM Corporation 1999, 2016.

        
        Last updated:
        
        Last updated: 2016-05-23 14:47:06


Task topicTask topic | Version 8.0.0.7 | ah14460_