See information about the latest product version
Security for the WebSphere Message Broker Toolkit and WebSphere Message Broker Explorer
What to consider when you set up security for the WebSphere® Message Broker Toolkit and WebSphere Message Broker Explorer.
When you create a broker, a default SVRCONN channel, SYSTEM.BKR.CONFIG, is created. This channel supports connections from one or more remote clients to the broker. Clients that are running on the same computer as the broker connect directly to the queue manager; they do not require a connection through a channel.
If you enable security, then, by default, the user ID that is used to run the WebSphere Message Broker Toolkit and the WebSphere Message Broker Explorer is passed to the broker (in the WebSphere MQ header) and used for authorization. For information about authorizations for administration applications, see Tasks and authorizations for administration security.
You can override the default behavior by specifying a user ID to be used for authorization in the MCAUSER attribute on the SVRCONN channel. If you set the MCAUSER attribute, then any incoming request from the WebSphere Message Broker Toolkit or the WebSphere Message Broker Explorer is processed by the broker as if it was made by the user that is specified in the MCAUSER attribute, instead of the user that is running the WebSphere Message Broker Toolkit or the WebSphere Message Broker Explorer.
Ensure that user IDs are not more than eight characters long.
If you want to secure the connection between your WebSphere Message Broker Toolkit session, or WebSphere Message Broker Explorer session, and the broker, you can configure the SVRCONN channel to specify security options.
You can use a single channel for all client connections, create a channel for each client connection, or share connections between two or more clients that have the same security requirements. You can use the default channel, and create additional channels if required. If you do not use the default channel, you must set the alternative name in the connection properties.
You can secure the connection between the WebSphere Message Broker Explorer, the WebSphere Message Broker Toolkit, a command that uses the CMP interface (mqsichangeresourcestats, mqsicreateexecutiongroup, mqsideleteexecutiongroup, mqsideploy, mqsilist, mqsimode, mqsireloadsecurity, mqsireportresourcestats, mqsistartmsgflow, mqsistopmsgflow), or a CMP application, by using one or both of the following options:
- Create and enable a pair of WebSphere MQ channel security exits to run at the client and broker ends of the SVRCONN channel that connects the two components. For information about defining security exits, see Security exits.
- Implement Secure Socket Layer (SSL) security on the SVRCONN channel. For information about enabling SSL, see Enabling SSL on the WebSphere MQ Java Client.