Objects used by JMS that require authorization for non-privileged users

Non-privileged users need authorization granted to access the queues used by JMS. Every JMS application needs authorization to the queue manager with which it works.

For details about access control in IBM® WebSphere® MQ, see Setting up security on UNIX, UNIX and Linux® systems .

WebSphere MQ classes for JMS applications need connect and inq authority to the queue manager. You can set appropriate authorizations using the setmqaut control command, for example:
setmqaut -m QM1 -t qmgr -g jmsappsgroup +connect +inq
For the point-to-point domain, the following authorities are required:
  • Queues that are used by MessageProducer objects need put authority.
  • Queues that are used by MessageConsumer and QueueBrowser objects need get, inq, and browse authorities.
  • The QueueSession.createTemporaryQueue() method needs access to the model queue specified by the TEMPMODEL property of the QueueConnectionFactory object. By default this model queue is SYSTEM.TEMP.MODEL.QUEUE.
If any of these queues are alias queues, their target queues require inquire authority. If the target queue is a cluster queue it also requires browse authority.
For the publish/subscribe domain, the following queues are used if the WebSphere MQ classes for JMS are connecting to an IBM WebSphere MQ queue manager in IBM WebSphere MQ messaging provider migration mode:
  • SYSTEM.JMS.ADMIN.QUEUE
  • SYSTEM.JMS.REPORT.QUEUE
  • SYSTEM.JMS.MODEL.QUEUE
  • SYSTEM.JMS.PS.STATUS.QUEUE
  • SYSTEM.JMS.ND.SUBSCRIBER.QUEUE
  • SYSTEM.JMS.D.SUBSCRIBER.QUEUE
  • SYSTEM.JMS.ND.CC.SUBSCRIBER.QUEUE
  • SYSTEM.JMS.D.CC.SUBSCRIBER.QUEUE
  • SYSTEM.BROKER.CONTROL.QUEUE

For further information on IBM WebSphere MQ messaging provider migration mode, see When to use PROVIDERVERSION

Additionally, if the WebSphere MQ classes for JMS are connecting to a queue manager in this mode, any application that publishes messages needs access to the stream queue specified by the TopicConnectionFactory or topic object. By default, this queue is SYSTEM.BROKER.DEFAULT.STREAM.

If you use ConnectionConsumer, IBM WebSphere MQ Resource Adapter, or the WebSphere Application Server IBM WebSphere MQ messaging provider, additional authorization might be needed.

Queues to be read by the ConnectionConsumer must have get , inq, and browse authorities. The system dead-letter queue, and any backout-requeue queue or report queue used by the ConnectionConsumer must have put and passall authorities.

When an application uses WebSphere MQ messaging provider normal mode to perform publish/subscribe messaging, the application makes use of the integrated publish/subscribe functionality provided by the queue manager. See Publish/subscribe security for information on securing the topics and queues that are used.