Granting the IBM MQ Agent access to queue manager resources

The IBM® MQ Agent MCP server needs access to your IBM MQ queue manager resources to fetch information. You grant this access by using standard IBM MQ APIs.

About this task

Because you use standard APIs, setting an authentication and authorization policy for the MCP server user is the same as for any other IBM MQ user. The IBM MQ Agent requires read-only access for querying configuration details, observing real-time object state, and diagnostic fault-finding. To do further work with a queue manager, the IBM MQ Agent requires additional access. For example, the agent needs permission to connect to a queue manager to send PCF commands to it and receive responses.

The example commands in this topic use the setmqaut command, which you can use on AIX®, Linux®, or Windows. On these operating systems, you can also use the SETAUTHREC command. For IBM i, use the GRTMQMAUT command. On z/OS®, use RACF® profiles. For examples on all operating systems, see Granting read-only access to all resources on a queue manager.

Note: Record the MCP server user name that you use; you will specify it when you deploy the IBM MQ Agent.

Procedure

  1. Decide on the queue managers that you want the IBM MQ Agent to work with, noting the following restrictions.
    • The number of queue managers that the IBM MQ Agent can work with is limited to 20 because higher numbers impact performance. If you exceed this limit, the IBM MQ Agent MCP server does not start and generates an error. If you want the IBM MQ Agent to work with more than 20 queue managers, you must deploy another instance of the IBM MQ Agent.
    • The IBM MQ Agent does not support the use of queue manager groups or duplicate queue manager names. The MCP server ignores these names.
    • The IBM MQ Agent does not support the use of asterisks in queue manager names. The IBM MQ Agent finds such names ambiguous when you use them in the chat assistant, and asks you to clarify.
  2. Grant access for the MCP server user to work with each queue manager.
    To work with a queue manager, the IBM MQ Agent needs to connect to the queue manager to put PCF commands and receive responses.
    1. Grant access for the MCP server to connect to a queue manager to query configuration.
      The optional +ctrl parameter enables the IBM MQ Agent to access the queue manager error logs.
      For example:
      setmqaut -m <QMgrName> -t qmgr -g <MCPServerUserName> +connect +ctrl
    2. Grant put access for the MCP server user to put PCF messages to a queue manager's command queue to run read-only PCF commands.
      For example:
      setmqaut -m <QMgrName> -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g <MCPServerUserName> +dsp +inq +put
    3. Grant get access for the MCP server user to receive PCF responses from the queue manager.
      For example:
      setmqaut -m <QMgrName> -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g <MCPServerUserName> +dsp +get
  3. Grant access for the MCP server user to inspect dead-letter queues and transmission queues to enable the IBM MQ Agent to read messages to get header information.
    1. Grant access for the MCP server user to inspect the dead-letter queue for the queue manager so that the IBM MQ Agent can read a message to identify a dead-letter header.
      For example:
      setmqaut -m <QMgrName> -n <dead_letter_queue_name> -t queue -g <MCPServerUserName> +dsp +browse
    2. Grant access for the MCP server to inspect transmission queues so that the IBM MQ Agent can read a message to identify a transmission queue header. (Alternatively, you could grant read-only access for all queue manager resources, as described in the next step.)
      For example:
      setmqaut -m <QMgrName> -n <transmission_queue_name> -t queue -g <MCPServerUserName> +dsp +browse
  4. Grant read-only access for the MCP server user to other queue manager resources.
    If you want to grant read-only access to all queue manager resources, follow the instructions in Granting read-only access to all resources on a queue manager, using the MCP server user for the GroupName. However, you need to grant access only to objects that you want the IBM MQ Agent to work with, which might be specific object types or individual objects.
    For example, run the following command to grant read-only access to an individual queue:
    setmqaut -m <QMgrName> -n <ApplicationQueueName> -t queue -g <MCPServerUserName> +dsp +browse
    Grant read-only access to an individual channel:
    setmqaut -m <QMgrName> -n <ApplicationChannelName> -t channel -g <MCPServerUserName> +dsp
    Grant read-only access to all queues:
    setmqaut -m QMgrName -n '**' -t queue -g <MCPServerUserName> +dsp +browse

What to do next

Proceed to Deploying the IBM MQ Agent into your cluster.