Configuring authorization service stanzas on Windows
On IBM® MQ for Windows each queue manager has its own stanza in the registry.
The Service
stanza and the ServiceComponent
stanza for the default authorization component are added to the Registry automatically, but can be overridden using mqsnoaut
. Any other ServiceComponent
stanzas must be added manually.
You can also add the
SecurityPolicy
attribute using the IBM MQ services. The SecurityPolicy
attribute
applies only if the service specified on the
Service
stanza is the authorization service, that is, the default OAM. The
SecurityPolicy
attribute allows you to specify the security policy for each queue
manager. The possible values are:-
Default
- Specify
Default
if you want the default security policy to take effect. If a Windows security identifier (NT SID) is not passed to the OAM for a particular user ID, an attempt is made to obtain the appropriate SID by searching the relevant security databases. -
NTSIDsRequired
- Requires that an NT SID is passed to the OAM when performing security checks.
For information about the Service stanza format, see Service stanza of the qm.ini file. For more general information about security, see Setting up security on Windows, UNIX and Linux® systems.
The service component stanza, MQSeries.WindowsNT.auth.service
defines the default authorization service component, the OAM. If you remove this stanza and restart the queue manager, the OAM is disabled and no authorization checks are made.