MQTT client identity and authorization
Use the client ID, Username, or a common client identity for authorization to access IBM® MQ objects.
The IBM MQ administrator has three choices for
selecting the identity of the MQTT channel. The
administrator makes the choice when defining or modifying the MQTT channel used by the client. The identity is used to
authorize access to IBM MQ topics. The choice is made in
the following order:
- The client ID (see USECLNTID ).
- An identity the administrator provides for the channel (the MCAUSER of the channel. See MCAUSER ).
- If neither of the previous choices applies, the Username passed from the MQTT client ( Username is an attribute of the MqttConnectOptions class. It must be set before the client connects to the service. Its default value is null).
Avoid trouble: The identity chosen by this process is thereafter
referred to, for example by the DISPLAY CHSTATUS (MQTT) command, as the MCAUSER of the client. Be aware that this is not necessarily the same identity
as the MCAUSER of the channel that is referred to in choice (2).
Use the IBM MQ
setmqaut command to select which objects, and which actions, are authorized to be
used by the identity associated with the MQTT
channel. For example, the following code authorizes a channel identity
MQTTClient
,
provided by the administrator of queue manager QM1
:
setmqaut -m QM1 -t q -n SYSTEM.MQTT.TRANSMIT.QUEUE -p MQTTClient -all +put
setmqaut -m QM1 -t topic -n SYSTEM.BASE.TOPIC -p MQTTClient -all +pub +sub