Enabling administration security

Enable administration security on an integration node to control which users can complete specific tasks against that integration node and its resources.

About this task

If you do not enable administration security, all users are able to complete all actions against the integration node and all integration servers. If administration security is not enabled, web users can access the web user interface as the default user, with unrestricted access to data and integration node resources.

You can enable administration security and specify the authorization mode for the integration node, by using the mqsichangeauthmode command.

Procedure

  1. Stop the integration node by using the web user interface or by running the mqsistop command.
  2. To enable administration security for the integration node, specify the -s active parameter on the mqsichangeauthmode command. You must also specify the authorization mode that you require by using the -m parameter.
    For example, to enable administration security with the file-based authorization mode for the IB10NODE integration node, enter the following command:
    mqsichangeauthmode IB10NODE -s active -m file
    where -s active enables administration security for the integration node, and -m file specifies the file-based authorization mode.

    If you intend to use queue-based administration security (mq mode), ensure that the queue manager specified on the integration node is running.

    Ensure that the system user ID that runs the mqsichangeauthmode command is a member of the mqbrkrs group. Read, write, and execute permissions are granted automatically on the integration node to all user IDs that belong to this group.

    If you intend to use queue-based administration security (mq mode), ensure that the user ID is a member of the mqm group, with permission to create the required authorization queues. If the queues are not created automatically, you can create them manually; see Creating the default IBM Integration Bus queues on a WebSphere MQ queue manager. For more information, see Authorization queues for queue-based administration security.

    Manage the membership of the mqbrkrs and mqm security groups with care, and ensure that this level of authorization is granted only to users who require it.

  3. Start the integration node by using the web user interface or the mqsistart command.

What to do next

Set the required permissions to enable users to complete the appropriate tasks on the integration node and its resources. This task is described in Authorizing users for administration. For more information about specifying authorization modes, see Configuring administration security to use file-based, queue-based, or LDAP authorization.