Secure the WebSphere MQ resources
that your configuration requires.
WebSphere Business Integration Message Broker depends
on a number of WebSphere MQ resources to operate
successfully. You must control access to these resources to ensure that the
product components can access the resources on which they depend, and that
these same resources are protected from other users.
Some authorizations
are granted on your behalf when commands are issued. Others depend on the
configuration of your broker domain.
- When you issue the command mqsicreatebroker,
it grants put and get authority on your behalf to the group mqbrkrs for
the following queues:
- SYSTEM.BROKER.ADMIN.QUEUE
- SYSTEM.BROKER.CONTROL.QUEUE
- SYSTEM.BROKER.EXECUTIONGROUP.QUEUE
- SYSTEM.BROKER.EXECUTIONGROUP.REPLY
- SYSTEM.BROKER.INTERBROKER.QUEUE
- SYSTEM.BROKER.MODEL.QUEUE
- When you issue the command mqsicreateconfigmgr:
- It grants put and get authority on your behalf to the group mqbrkrs for
the following queues:
- SYSTEM.BROKER.CONFIG.QUEUE
- SYSTEM.BROKER.CONFIG.REPLY
- SYSTEM.BROKER.ADMIN.REPLY
- SYSTEM.BROKER.SECURITY.REPLY
- SYSTEM.BROKER.MODEL.QUEUE
- It grants put and get authority on your behalf to the groups mqbrdevt, mqbrasgn, mqbrops,
and mqbrtpic for the following queues:
- SYSTEM.BROKER.CONFIG.QUEUE
- SYSTEM.BROKER.CONFIG.REPLY
- When you issue the command mqsicreateusernameserver,
it grants put and get authority on your behalf to the group mqbrkrs for
the following queues:
- SYSTEM.BROKER.SECURITY.QUEUE
- SYSTEM.BROKER.MODEL.QUEUE
- When you issue the command mqsicreateaclgroup,
it grants put and get authority on your behalf to the group or user that you
have specified for the command parameters -p or -u for the following queues:
- SYSTEM.BROKER.CONFIG.QUEUE
- SYSTEM.BROKER.CONFIG.REPLY
- If you have created WebSphere Business Integration Message Broker components
to run on different queue managers, the transmission queues that you define
to handle the message traffic between the queue managers must have put and
setall authority granted to the local mqbrkrs group,
or to the service user ID of the component supported by the queue manager
on which the transmission queue is defined.
- When you start the workbench, it connects
to the Configuration Manager using a WebSphere MQ client/server
connection. For details of WebSphere MQ channel
security refer to "Setting up WebSphere MQ client
security" in the WebSphere MQ Clients book.
- When you create and deploy a message flow, grant:
- get and inq authority to each input queue identified in an MQInput node,
for the broker's ServiceUserID.
- put and inq authority to each output queue identified in an MQOutput node,
or by an MQReply node, for the broker's ServiceUserID.
- get authority to each output queue identified in an MQOutput node or an
MQReply node to the user ID under which a receiving or subscribing client
application runs.
- put authority to each input queue identified in an MQInput
node to the user ID under which a sending or publishing client application
runs.