Authorization queues for broker administration security

When you create a broker, the queue SYSTEM.BROKER.AUTH is created. Read, write, and execute authorities are automatically granted to the user group mqbrkrs on this queue. This queue is created even if you do not enable security at this time.

The SYSTEM.BROKER.AUTH queue is created as a local queue, and is used to define which users are authorized to perform actions on the broker and the broker properties.

When you create an integration server on a broker for which you have enabled security, the integration server authorization queue SYSTEM.BROKER.AUTH.EG is created. where EG is the name of the integration server. Read, write, and execute authorities are automatically granted to the user group mqbrkrs on this queue. The dedicated integration server queues are created as aliases to the queue SYSTEM.BROKER.AUTH.

If you create a broker without administration security, you can change it later. If you have defined one or more integration servers on that broker when you change its security setting, the required integration server authorization queues are defined.

A queue can be created only by a user ID that is a member of the WebSphere® MQ security group mqm. Therefore the user ID who creates a broker, changes a broker, and the ID under which the broker is running when an integration server is created, must be a member of that security group. If the user ID does not have this authority, a message is returned to the command (for the mqsichangebroker command only), or written to the system log, with the error and the name of the queue. You must create the queue yourself, or ask your WebSphere MQ administrator to create it for you.

WebSphere MQ restricts the length of a queue name to 48 characters. Queue name characters must be in the En_US ASCII character set, and contain only uppercase and lowercase letters, digits, and the following special characters; period (.), forward slash (/), underscore (_), and percent (%). If the name of your integration server includes a character that is not valid, that character is replaced in the WebSphere MQ queue name by an underscore character. For example, if you create an integration server with the name test@environment, the authorization queue is created with the name SYSTEM.BROKER.AUTH.test_environment.

If you are running a secure environment, limit the names of your integration servers to 29 characters. This limit ensures that the authorization queue names generated, which include the prefix SYSTEM.BROKER.AUTH, do not exceed the WebSphere MQ limit of 48 characters.

If your integration server names do not all conform to the length and character requirements, integration servers with similar names might result in a shared authorization queue. If this situation occurs, a warning message is returned to the user that issued the command, or is written to the system log, when the second integration server is created to state that the queue is shared.

When you delete an integration server, its associated authorization queue is retained. The queue is deleted if you specify the appropriate parameter when you delete the broker. The queue can be reused if you re-create the integration server, but you must check the authorities that you have defined on the queue to ensure that they are still valid.

If you rename an integration server, you must first create an authorization queue with the appropriate name. You must also re-create the WebSphere MQ permissions associated with the original authorization queue on this queue before you rename the integration server; the broker does not perform this task on your behalf. The broker rejects the rename request if the authorization queue does not exist, to ensure that security is not affected by the renaming. If you do not re-create these permissions, no user IDs are authorized to perform a task against the renamed integration server.

When you delete a broker, you can specify that all its authorization queues are also deleted; they are not deleted by default. If you specify that the queue manager is deleted at this time, all queues are deleted.