WebSphere Message Broker, Version 8.0.0.7 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Administration security overview

Broker administration security controls the rights of users to complete administrative tasks for a broker and its resources.

Broker administration security is an optional feature of the broker. When you create a broker, the default setting is that broker administration security is not enabled. You can specify an additional parameter to enable security when you create the broker. You can also change the status of the broker administration security after you have created the broker, and can therefore enable or disable it when appropriate.

When you have enabled broker administration security, set up security control by registering WebSphere® MQ permissions for specific user IDs. Permissions are recorded on the following authorization queues that are defined on the broker queue manager:

When you create a broker, the queue SYSTEM.BROKER.AUTH is created. Read, write, and execute authorities are automatically granted to the user group mqbrkrs on this queue. This queue is created even if you do not enable security at this time.

If you enable security, the broker checks the authorizations that you have set up on this queue when it receives a request that views or changes its properties or resources. If the user ID associated with the request is not authorized, the broker refuses the request.

When you create an execution group on a broker for which you have enabled security, the execution group authorization queue SYSTEM.BROKER.AUTH.EG is created, where EG is the name of the execution group. Read, write, and execute authorities are automatically granted to the user group mqbrkrs on this queue.

If you are migrating from WebSphere Message Broker Version 6.1, and you use Access Control Lists (ACLs) that you define to the Configuration Manager, you cannot migrate your ACLs directly to later versions of WebSphere Message Broker. Review the guidance provided in Migrating Configuration Manager ACLs to understand how to set up security by using the ACLs as a basis for security in your later WebSphere Message Broker environment.

See the following topics for more information about permissions and queues:

Authorization on z/OS

On z/OS®, WebSphere MQ uses the System Authorization Facility (SAF) to route requests for authority checks to an external security manager (ESM) such as the z/OS Security Server Resource Access Control Facility (RACF®). WebSphere MQ does no authority checks of its own. All information about broker administration security on z/OS assumes that you are using RACF as your ESM. If you are using a different ESM, you might need to interpret the information provided for RACF in a way that is relevant to your ESM.

If you are activating security on the WebSphere MQ queue manager on z/OS for the first time, you must set up the profiles or other resources that are required by your ESM to access queues. You must also check that the queue manager is configured to access the security profiles in the correct class; MQQUEUE for uppercase queue names and MXQUEUE for mixed case queue names.

For further information about queue manager security and security profiles, see the z/OS System Administration Guide and z/OS System Setup Guide sections of the WebSphere MQ Version 7 Information Center online.

Authority checking

If you have activated broker administration security, all actions performed by users of the following interfaces are subject to authority checking:

  • WebSphere Message Broker Toolkit sessions
  • WebSphere Message Broker Explorer sessions
  • WebSphere Message Broker
  • Java™ programs that use the REST API to perform operations on the broker
  • Java programs that use the CMP API to perform operations on the broker
  • All the following commands:
    • mqsichangeresourcestats
    • mqsicreateexecutiongroup
    • mqsideleteexecutiongroup
    • mqsideploy
    • mqsilist
    • mqsimode
    • mqsireloadsecurity
    • mqsireportresourcestats
    • mqsistartmsgflow
    • mqsistopmsgflow
    • mqsiwebuseradmin

    For additional authorization required for these commands, see Commands and authorizations for broker administration security.

    You can run all commands that are not stated here only on the computer on which the broker is running. Either your user ID, or the ID under which the broker is running, must be a member of the security group mqbrkrs when you run the unlisted commands. Each command topic describes the authority that is required.

Users of the WebSphere Message Broker Explorer and WebSphere Message Broker Toolkit who do not have read, write, and execute authority for the broker or execution groups, have only restricted access to those resources. An icon is displayed against each resource to indicate that user authority is restricted. The actions that the user can request against a resource are determined by the restricted authority that is in place for that user.

Authority persistence

If a user ID is granted authority to access a broker, the access is retained at least until the current connection or session is ended by one of the following events:

  • The user closes the WebSphere Message Broker Explorer or WebSphere Message Broker Toolkit session
  • The CMP API application disconnects from the BrokerProxy object

Even if you update or remove the authority for this user ID, the authorization does not change while the connection is active.

However, authorization is always checked for operations against execution groups and message flows; if you change or remove the authorization for a user ID to an execution group, subsequent requests in the current connection might fail.

Additional administration security

In your environment, a check on the user ID making a request might not provide a sufficient level of security. If you require a more secure solution, one or both of the following options are available:

  • You can enable SSL on a WebSphere MQ client connection between the source of the request (for example, the WebSphere Message Broker Explorer) and the target queue manager on which the broker is running.
  • You can configure your WebSphere MQ network so that certain types of users can be directed through a specific server connection (SVRCONN) channel, provided they comply with the CHLAUTH rules. For details of channel security, see the System Administration Guide section in the WebSphere MQ Version 7 Information Center online.
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2016Copyright IBM Corporation 1999, 2016.

        
        Last updated:
        
        Last updated: 2016-05-23 14:48:24


Concept topicConcept topic | Version 8.0.0.7 | bp43500_