WebSphere Message Broker, Version 8.0.0.7 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Migrating Configuration Manager ACLs

If you are migrating from WebSphere® Message Broker Version 6.1, you can use the Access Control Lists (ACLs) that you set up in the Configuration Manager as the basis for your security model in WebSphere Message Broker Version 8.0.

Before you start:

Administration security for a broker in WebSphere Message Broker Version 8.0 is disabled by default. Because no security details are migrated, when you migrate a broker from a previous version security is disabled, even if you had set up security in the previous version.

The Configuration Manager has been removed as a result of the architectural and security model changes that were made in Version 7.0, therefore the commands that controlled this component and its ACLs have been removed:

  • mqsichangeconfigmgr
  • mqsicreateconfigmgr
  • mqsideleteconfigmgr
  • mqsireportconfigmgr
  • mqsicreateaclentry
  • mqsideleteaclentry
  • mqsilistaclentry

Although you can use the ACLs that you set up in previous versions as the basis for your security model in Version 8.0, you might choose to reconsider your security model, and set up different levels of control that match the facilities available in this version.

If you choose to use your existing ACLs as a basis for your security model in Version 8.0, consider the following factors:

  • You can obtain a list of existing ACLs maintained by your Configuration Manager by using the mqsilistaclentry command.
  • You can migrate existing groups, users, or both, subject to the following factors:
    • You must define the user ID on the same computer as the queue manager associated with the Version 8.0 broker.
    • On Linux and UNIX systems, you can grant authority only to the primary group of a user. All users that you have defined with the same primary group automatically get the same level of security access. You must therefore consider the membership of all your groups to ensure that you give the required level of control to each user.
  • You can grant only broker and execution level authorities for Version 8.0 brokers.
  • If you grant read, write, and execute authority to a user ID for a Version 8.0 broker, this permission is equivalent to full control access in previous versions.
  • If you grant read authority to a user ID for a Version 8.0 broker, this permission is equivalent to view access in previous versions.
  • Check the authority that write and execute permissions grant for a Version 8.0 broker to determine the best match for edit and deploy access levels in previous versions.
  • Although you can set up access for a particular computer or domain name in previous versions, you can use only user IDs and groups in Version 8.0. If you want to establish a more secure environment, consider the use of WebSphere MQ security exits and SSL.

To set up authorization for your Version 8.0 broker, complete the following steps.

  1. Review the authorizations that are required for specific tasks and commands. Details are provided in Tasks and authorizations for administration security and Commands and authorizations for broker administration security.
  2. Grant the authorities that your users require.
Next: Start the broker in the WebSphere Message Broker Explorer, or run the mqsistart command.
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2016Copyright IBM Corporation 1999, 2016.

        
        Last updated:
        
        Last updated: 2016-05-23 14:48:25


Task topicTask topic | Version 8.0.0.7 | bp43550_