Use the channel put authority attribute on the cluster-receiver channel to stop unauthorized queue managers putting messages on your queues. Authorize a remote queue manager by checking the user ID in the message using RACF® on z/OS®, or the OAM on other platforms.
About this task
Use the security facilities of a platform and the access control mechanism in IBM® MQ to control access to queues.
Procedure
-
To prevent certain queue managers from putting messages on a queue, use the security facilities available on your platform.
For example:
- RACF or other external security managers on IBM MQ for z/OS
- The object authority manager (OAM) on other platforms.
-
Use the put authority, PUTAUT, attribute on the CLUSRCVR channel definition.
The PUTAUT attribute allows you to specify what user identifiers are to be used to establish authority to put a message to a queue.
The options on the
PUTAUT attribute are:
- DEF
- Use the default user ID. On z/OS, the check might involve using both the user ID received from the network and that derived from MCAUSER.
- CTX
- Use the user ID in the context information associated with the message. On z/OS the check might involve using either the user ID received from the network, or that derived from MCAUSER, or both. Use this option if the link is trusted and authenticated.
- ONLYMCA ( z/OS only)
- As for DEF, but any user ID received from the network is not used. Use this option if the link is not trusted. You want to allow only a specific set of actions on it, which are defined for the MCAUSER.
- ALTMCA ( z/OS only)
- As for CTX, but any user ID received from the network is not used.