Service stanza of the qm.ini file
The Service stanza is used to make changes to installable services. This stanza contains the name of the service and the number of entry points defined for the service.
For each component within a service, you must also specify the name and path of the module containing the code for that component. Use the ServiceComponent stanza for this.
The Service and ServiceComponent stanzas can occur in any order and the stanza keys under them can also occur in any order. For either of these stanzas, all the stanza keys must be present. If a stanza key is duplicated, the last one is used.
At startup time, the queue manager processes each service component entry in the configuration file in turn. It then loads the specified component module, invoking the entry point of the component (which must be the entry point for initialization of the component), passing it a configuration handle.
- Name= AuthorizationService (default) |NameService
- The name of the required service.
- AuthorizationService
- For IBM MQ, the Authorization Service component is
known as the object authority manager, or OAM. The AuthorizationService stanza and its associated
ServiceComponent stanza are added automatically when the queue manager is created. Add other
ServiceComponent stanzas manually. The following stanzas in the queue manager configuration file define two authorization service components on IBM MQ for AIX®. MQ_INSTALLATION_PATH represents the high-level directory in which IBM MQ is installed.
The service component stanza (
MQSeries.UNIX.auth.service
) defines the default authorization service component, the OAM. If you remove this stanza and restart the queue manager, the OAM is disabled and no authorization checks are made.You can also add theSecurityPolicy
attribute using the IBM MQ services. TheSecurityPolicy
attribute applies only if the service specified on theService
stanza is the authorization service, that is, the default OAM. TheSecurityPolicy
attribute allows you to specify the security policy for each queue manager. The possible values are:-
Default
- Specify
Default
if you want the default security policy to take effect. If a Windows security identifier (NT SID) is not passed to the OAM for a particular user ID, an attempt is made to obtain the appropriate SID by searching the relevant security databases. -
NTSIDsRequired
- Requires that an NT SID is passed to the OAM when performing security checks.
The service component stanza,
MQSeries.WindowsNT.auth.service
defines the default authorization service component, the OAM. If you remove this stanza and restart the queue manager, the OAM is disabled and no authorization checks are made. -
- NameService
- No name service is provided by default. If you require a name service, you must add the
NameService
stanza manually.The following examples of AIX and Linux® configuration file stanzas for the name service specify a name service component provided by the (fictitious) ABC company.
- EntryPoints= number-of-entries
- The number of entry points defined for the service.
This includes the initialization and termination entry points.
- SecurityPolicy= Default|NTSIDsRequired
- On Windows systems, the
SecurityPolicy attribute applies only if the service specified is the default
authorization service, that is, the OAM. The SecurityPolicy attribute allows
you to specify the security policy for each queue manager. The possible values are:
- Default
- Use the default security policy to take effect. If a Windows security identifier (NT SID) is not passed to the OAM for a particular user ID, an attempt is made to obtain the appropriate SID by searching the relevant security databases.
- NTSIDsRequired
- Pass an NT SID to the OAM when performing security checks.
For more information, see Windows security identifiers (SIDs).
- SecurityPolicy=user|group|UserExternal|default
- On AIX and Linux systems, the value specifies whether the queue manager uses user-based or group-based authorization. Values are not case sensitive.
- SharedBindingsUserId= user-type
- The SharedBindingsUserId attribute applies only if the service specified is
the default authorization service, that is, the OAM. The SharedBindingsUserId
attribute is used with relation to shared bindings only. This value allows you to specify whether
the UserIdentifier field in the IdentityContext structure,
from the MQZ_AUTHENTICATE_USER function, is the effective user ID or the real user ID.
For information on the MQZ_AUTHENTICATE_USER function, see MQZ_AUTHENTICATE_USER - Authenticate user.
The possible values are:- Default
- The value of the UserIdentifier field is set as the real user ID.
- Real
- The value of the UserIdentifier field is set as the real user ID.
- Effective
- The value of the UserIdentifier field is set as the effective user ID.
- FastpathBindingsUserId= user-type
- The FastpathBindingsUserId attribute applies only if the service specified
is the default authorization service, that is, the OAM. The
FastpathBindingsUserId attribute is used with relation to fastpath bindings
only. This value allows you to specify whether the UserIdentifier field in the
IdentityContext structure, from the MQZ_AUTHENTICATE_USER function, is the
effective user ID or the real user ID.
For information on the MQZ_AUTHENTICATE_USER function, see MQZ_AUTHENTICATE_USER - Authenticate user.
The possible values are:- Default
- The value of the UserIdentifier field is set as the real user ID.
- Real
- The value of the UserIdentifier field is set as the real user ID.
- Effective
- The value of the UserIdentifier field is set as the effective user ID.
- IsolatedBindingsUserId= user-type
- The IsolatedBindingsUserId attribute applies only if the service specified
is the default authorization service, that is, the OAM. The
IsolatedBindingsUserId attribute is used with relation to isolated bindings
only. This value allows you to specify whether the UserIdentifier field in the
IdentityContext structure, from the MQZ_AUTHENTICATE_USER function, is the
effective user ID or the real user ID.
For information on the MQZ_AUTHENTICATE_USER function, see MQZ_AUTHENTICATE_USER - Authenticate user.
The possible values are:- Default
- The value of the UserIdentifier field is set as the effective user ID.
- Real
- The value of the UserIdentifier field is set as the real user ID.
- Effective
- The value of the UserIdentifier field is set as the effective user ID.
For more information about installable services and components, see Installable services and components for AIX, Linux, and Windows.
For more information about security services in general, see Setting up security on AIX and Linux systems.
Example stanza
Service:
Name=AuthorizationService
EntryPoints=14