Authorization queues for queue-based administration security

If the queue-based mode of administration security is enabled, the integration node examines specific queues to determine whether a user has the required permissions to complete a particular task against the integration node or its resources.

If a queue manager is specified on the integration node, the queue-based mode of administration security (mq mode) is specified by default. For more information about authorization modes, see Configuring administration security to use file-based, queue-based, or LDAP authorization.

You set security permissions on the following authorization queues:

SYSTEM.BROKER.AUTH

The queue SYSTEM.BROKER.AUTH is created when you use the mqsichangeauthmode command to enable queue-based administration security (mq mode) on the integration node.

Read, write, and execute permissions are granted automatically to the user group mqbrkrs on this queue. The SYSTEM.BROKER.AUTH queue is created as a local queue, and is used to define which users are authorized to perform actions on the integration node and its properties.

If the mqsichangeauthmode command fails to create the queue for any reason, you can create it manually; see Creating the default IBM Integration Bus queues on a WebSphere MQ queue manager.

SYSTEM.BROKER.AUTH.EG

When you create an integration server on an integration node for which you have enabled queue-based administration security, the integration server authorization queue SYSTEM.BROKER.AUTH.EG is created (if it did not already exist), where EG is the name of the integration server. If the queue already exists, check that the permissions are appropriate. Read, write, and execute permissions are automatically granted to the user group mqbrkrs on this queue. The dedicated integration server queues are created as aliases to the queue SYSTEM.BROKER.AUTH.

If the integration node fails to create the queue for any reason, you can create it manually; see Creating the default IBM Integration Bus queues on a WebSphere MQ queue manager.

SYSTEM.BROKER.DC.AUTH

When you use the mqsicreatebroker command to create an integration node with an associated queue manager, the SYSTEM.BROKER.DC.AUTH queue is created automatically. If you create the integration node without specifying a queue manager, and subsequently modify it to specify a queue manager and enable queue-based administration security (mq mode), you must also create the SYSTEM.BROKER.DC.AUTH queue; see Creating the default IBM Integration Bus queues on a WebSphere MQ queue manager.

If you create an integration node without enabling administration security, you can change it later by using the mqsichangeauthmode command. If you have defined one or more integration servers on that integration node when you change its security setting, the required integration server authorization queues are defined.

A queue can be created only by a user ID that is a member of the WebSphere® MQ security group mqm. Therefore, the user ID that is used to create or change an integration node, and the ID under which the integration node is running when an integration server is created, must be a member of that security group. If the user ID does not have the required permissions, a message is returned to the command (for the mqsichangebroker command only), or written to the system log, with the error and the name of the queue. You must create the queue yourself, or ask your WebSphere MQ administrator to create it for you.

WebSphere MQ restricts the length of a queue name to 48 characters. Queue name characters must be in the En_US ASCII character set, and contain only uppercase and lowercase letters, digits, and the following special characters: period (.), forward slash (/), underscore (_), and percent (%). If the name of your integration server includes a character that is not valid, that character is replaced in the WebSphere MQ queue name by an underscore character. For example, if you create an integration server with the name test@environment, the authorization queue is created with the name SYSTEM.BROKER.AUTH.test_environment.

If you are running a secure environment, limit the names of your integration servers to 29 characters. This limit ensures that the authorization queue names generated, which include the prefix SYSTEM.BROKER.AUTH, do not exceed the WebSphere MQ limit of 48 characters.

If your integration server names do not all conform to the length and character requirements, integration servers with similar names might result in a shared authorization queue. If this situation occurs, a warning message is returned to the user that issued the command, or is written to the system log, when the second integration server is created to state that the queue is shared.

When you delete an integration server, its associated authorization queue is retained. The queue is deleted if you specify the appropriate parameter when you delete the integration node. The queue can be reused if you recreate the integration server, but you must check the permissions that you have defined on the queue to ensure that they are still valid.

If you rename an integration server, you must first create an authorization queue with the appropriate name. You must also recreate the WebSphere MQ permissions associated with the original authorization queue on this queue before you rename the integration server; the integration node does not perform this task on your behalf. The integration node rejects the rename request if the authorization queue does not exist, to ensure that security is not affected by the renaming. If you do not recreate these permissions, no user IDs are authorized to perform a task against the renamed integration server.

When you delete an integration node, you can specify that all its authorization queues are also deleted; they are not deleted by default.

For more information about setting permissions for queue-based authorization, see Setting queue-based permissions.