See information about the latest product version
Authorization queues for broker administration security
If you have enabled broker administration security, the broker examines specific queues to determine if a user has the authority to complete a particular task against a broker or its resources.
When you create a broker, the queue SYSTEM.BROKER.AUTH is created. Read, write, and execute authorities are automatically granted to the user group mqbrkrs on this queue. This queue is created even if you do not enable security at this time.
The SYSTEM.BROKER.AUTH queue is created as a local queue, and is used to define which users are authorized to perform actions on the broker and the broker properties.
When you create an execution group on a broker for which you have enabled security, the execution group authorization queue SYSTEM.BROKER.AUTH.EG is created. where EG is the name of the execution group. Read, write, and execute authorities are automatically granted to the user group mqbrkrs on this queue. The dedicated execution group queues are created as aliases to the queue SYSTEM.BROKER.AUTH.
If you create a broker without administration security, you can change it later. If you have defined one or more execution groups on that broker when you change its security setting, the required execution group authorization queues are defined.
A queue can be created only by a user ID that is a member of the WebSphere® MQ security group mqm. Therefore the user ID who creates a broker, changes a broker, and the ID under which the broker is running when an execution group is created, must be a member of that security group. If the user ID does not have this authority, a message is returned to the command (for the mqsichangebroker command only), or written to the system log, with the error and the name of the queue. You must create the queue yourself, or ask your WebSphere MQ administrator to create it for you.
WebSphere MQ restricts the length of a queue name to 48 characters. Queue name characters must be in the En_US ASCII character set, and contain only uppercase and lowercase letters, digits, and the following special characters; period (.), forward slash (/), underscore (_), and percent (%). If the name of your execution group includes a character that is not valid, that character is replaced in the WebSphere MQ queue name by an underscore character. For example, if you create an execution group with the name test@environment, the authorization queue is created with the name SYSTEM.BROKER.AUTH.test_environment.
If you are running a secure environment, limit the names of your execution groups to 29 characters. This limit ensures that the authorization queue names generated, which include the prefix SYSTEM.BROKER.AUTH, do not exceed the WebSphere MQ limit of 48 characters.
If your execution group names do not all conform to the length and character requirements, execution groups with similar names might result in a shared authorization queue. If this situation occurs, a warning message is returned to the user that issued the command, or is written to the system log, when the second execution group is created to state that the queue is shared.
When you delete an execution group, its associated authorization queue is retained. The queue is deleted if you specify the appropriate parameter when you delete the broker. The queue can be reused if you re-create the execution group, but you must check the authorities that you have defined on the queue to ensure that they are still valid.
If you rename an execution group, you must first create an authorization queue with the appropriate name. You must also re-create the WebSphere MQ permissions associated with the original authorization queue on this queue before you rename the execution group; the broker does not perform this task on your behalf. The broker rejects the rename request if the authorization queue does not exist, to ensure that security is not affected by the renaming. If you do not re-create these permissions, no user IDs are authorized to perform a task against the renamed execution group.
When you delete a broker, you can specify that all its authorization queues are also deleted; they are not deleted by default. If you specify that the queue manager is deleted at this time, all queues are deleted.