Preventing security access checks on Windows, UNIX and Linux® systems

Note: This topic describes functionality that is not recommended to be enabled. To turn off security checking you can disable the OAM. This might be suitable for a test environment. When disabled, the queue manager is no longer be able to perform authorization or connection authentication checks. TLS, Channel Authentication records, and security exits can still be used. Having disabled or removed the OAM, you cannot add an OAM to an existing queue manager.

If you decide that you do not want to perform security checks (for example, in a test environment), you can disable the OAM in one of two ways:

  • Before you create a queue manager, set the operating system environment variable MQSNOAUT (if you do this, you cannot add an OAM later):

    See Environment variables for information about the implications of setting the MQSNOAUT variable, and how you set MQSNOAUT on Windows and UNIX platforms.

  • Edit the queue manager configuration file to remove the service. (If you do this, you cannot add an OAM later.)
Warning: When an OAM is removed, it cannot be put back on an existing queue manager. This is because the OAM needs to be in place at object creation time. To use the IBM® MQ OAM again after it has been removed, the queue manager needs to be rebuilt.
If you use setmqaut, or dspmqaut while the OAM is disabled, note the following points:
  • The OAM does not validate the specified principal, or group, meaning that the command can accept invalid values.
  • The OAM does not perform security checks and indicates that all principals and groups are authorized to perform all applicable object operations.
  • Any credentials passed to the OAM for authentication checks are not validated.