Authorization service on IBM i

The authorization service is an installable service that enables queue managers to invoke authorization facilities, for example, checking that a user ID has authority to open a queue.

This service is a component of the IBM MQ security enabling interface (SEI), which is part of the IBM MQ framework. The following subjects are discussed:

Object authority manager (OAM)
Defining the service to the operating system
Configuring authorization service stanzas
Authorization service interface on IBM i

Object authority manager (OAM)

The authorization service component supplied with the IBM MQ products is called the object authority manager (OAM). By default, the OAM is active and works with the following control commands:

WRKMQMAUT work with authority
WRKMQMAUTD work with authority data
DSPMQMAUT display object authority
GRTMQMAUT grant object authority
RVKMQMAUT revoke object authority
RFRMQMAUT refresh security

The syntax of these commands and how to use them are described in the CL command help. The OAM works with the entity of a principal or group.

When an MQI request is made or a command is issued, the OAM checks the authorization of the entity associated with the operation to see whether it can do the following actions:

Perform the requested operation.
Access the specified queue manager resources.

The authorization service enables you to augment or replace the authority checking provided for queue managers by writing your own authorization service component.

Defining the service to the operating system

The authorization service stanzas in the queue manager configuration file qm.ini define the authorization service to the queue manager. See Configuring services and components on IBM i for information about the types of stanza.

Configuring authorization service stanzas

On IBM MQ for IBM i:

Principal: Is an IBM i system user profile.
Group: Is an IBM i system group profile.

Authorizations can be granted or revoked at the group level only. A request to grant or revoke a user's authority updates the primary group for that user.

Each queue manager has its own queue manager configuration file. For example, the default path and file name of the queue manager configuration file for queue manager QMNAME is /QIBM/UserData/mqm/qmgrs/QMNAME/qm.ini.

The Service stanza and the ServiceComponent stanza for the default authorization component are added to qm.ini automatically, but can be overridden by WRKENVVAR. Any other ServiceComponent stanzas must be added manually.

For example, the following stanzas in the queue manager configuration file define two authorization service components:

Figure 1. Authorization service stanzas in qm.ini on IBM i

Service:
    Name=AuthorizationService
    EntryPoints=7

ServiceComponent:
    Service=AuthorizationService
    Name=MQ.UNIX.authorization.service
    Module=QMQM/AMQZFU
    ComponentDataSize=0

ServiceComponent:
    Service=AuthorizationService
    Name=user.defined.authorization.service
    Module=LIBRARY/SERVICE PROGRAM NAME
    ComponentDataSize=96

The first service component stanza MQ.UNIX.authorization.service defines the default authorization service component, the OAM. If you remove this stanza and restart the queue manager, the OAM is disabled and no authorization checks are made.