Service stanza of the qm.ini file

You change installable services on Windows by using regedit, and on AIX® and Linux® by using the Service stanza in the qm.ini file.

Note: There are significant implications to changing installable services and their components. For this reason, the installable services are read-only in the IBM® MQ Explorer.

To change installable services on Windows systems, use regedit, or on AIX and Linux systems, use the Service stanza in the qm.ini file. For each component within a service, you must also specify the name and path of the module containing the code for that component. On AIX and Linux systems, use the ServiceComponent stanza for this.

Name= AuthorizationService|NameService

The name of the required service.

AuthorizationService: For IBM MQ, the Authorization Service component is known as the object authority manager, or OAM. The AuthorizationService stanza and its associated ServiceComponent stanza are added automatically when the queue manager is created. Add other ServiceComponent stanzas manually.
NameService: No name service is provided by default. If you require a name service, you must add the NameService stanza manually.

EntryPoints= number-of-entries

The number of entry points defined for the service.

This includes the initialization and termination entry points.

SecurityPolicy= Default|NTSIDsRequired

On Windows systems, the SecurityPolicy attribute applies only if the service specified is the default authorization service, that is, the OAM. The SecurityPolicy attribute allows you to specify the security policy for each queue manager.

The possible values are:

Default: Use the default security policy to take effect. If a Windows security identifier (NT SID) is not passed to the OAM for a particular user ID, an attempt is made to obtain the appropriate SID by searching the relevant security databases.
NTSIDsRequired: Pass an NT SID to the OAM when performing security checks.
See Windows security identifiers (SIDs) for more information.

SecurityPolicy=user|group|UserExternal|default

From IBM MQ 8.0, on AIX and Linux systems the value specifies whether the queue manager uses user-based or group-based authorization. Values are not case sensitive.

From IBM MQ 9.3.0, you can use the additional option of UserExternal. If you select this option, you can define authority records for a user name that is not known to the system, with a maximum of 12 characters, that:

Must conform to the Rules for naming IBM MQ objects
Can be used both for checking and setting authorizations

You can modify existing queue managers to use this additional option without losing any current configuration.

However, if you create a non-operating system user name, that user is considered to belong to no groups, except the nobody group. For more information about groups, see Principals and groups on AIX, Linux, and Windows.

If you do not include this attribute, default is used, which uses group-based authorization. Restart the queue manager for changes to become effective. See also Configuring authorization service stanzas: AIX and Linux systems.

SharedBindingsUserId= user-type

The SharedBindingsUserId attribute applies only if the service specified is the default authorization service, that is, the OAM. The SharedBindingsUserId attribute is used with relation to shared bindings only. This value allows you to specify whether the UserIdentifier field in the IdentityContext structure, from the MQZ_AUTHENTICATE_USER function, is the effective user ID or the real user ID.

For information on the MQZ_AUTHENTICATE_USER function, see MQZ_AUTHENTICATE_USER - Authenticate user.

The possible values are:

Default: The value of the UserIdentifier field is set as the real user ID.
Real: The value of the UserIdentifier field is set as the real user ID.
Effective: The value of the UserIdentifier field is set as the effective user ID.

FastpathBindingsUserId= user-type

The FastpathBindingsUserId attribute applies only if the service specified is the default authorization service, that is, the OAM. The FastpathBindingsUserId attribute is used with relation to fastpath bindings only. This value allows you to specify whether the UserIdentifier field in the IdentityContext structure, from the MQZ_AUTHENTICATE_USER function, is the effective user ID or the real user ID.

For information on the MQZ_AUTHENTICATE_USER function, see MQZ_AUTHENTICATE_USER - Authenticate user.

The possible values are:

Default: The value of the UserIdentifier field is set as the real user ID.
Real: The value of the UserIdentifier field is set as the real user ID.
Effective: The value of the UserIdentifier field is set as the effective user ID.

IsolatedBindingsUserId= user-type

The IsolatedBindingsUserId attribute applies only if the service specified is the default authorization service, that is, the OAM. The IsolatedBindingsUserId attribute is used with relation to isolated bindings only. This value allows you to specify whether the UserIdentifier field in the IdentityContext structure, from the MQZ_AUTHENTICATE_USER function, is the effective user ID or the real user ID.

For information on the MQZ_AUTHENTICATE_USER function, see MQZ_AUTHENTICATE_USER - Authenticate user.

The possible values are:

Default: The value of the UserIdentifier field is set as the effective user ID.
Real: The value of the UserIdentifier field is set as the real user ID.
Effective: The value of the UserIdentifier field is set as the effective user ID.

For more information about installable services and components, see Installable services and components for AIX, Linux, and Windows.

For more information about security services in general, see Setting up security on AIX and Linux systems.