mqsichangeauthmode command

Use the mqsichangeauthmode command to specify the mode of administration security to be used for granting and revoking permissions.

Supported platforms

Windows
Linux®
AIX®
IBM® z/OS® Container Extensions (zCX). Run this command by modifying and submitting the supplied JCL or by using an IBM z/OS console command.

Purpose

Use the mqsichangeauthmode command to specify the mode of administration security that will be used for granting and revoking permissions, and to enable or disable administration security for an integration node or independent integration server.

You can grant and revoke permissions by either of the following techniques:

By using IBM MQ queues owned by the queue manager specified on the integration node or independent integration server.
By setting file-based permissions with the mqsichangefileauth command.

You can use the mqsichangeauthmode command to specify queue-based or file-based security. For information about LDAP authorization, see Configuring authorization by using LDAP groups.

Before your integration node can use queue-based or file-based security, you must set the administration security mode by using the mqsichangeauthmode command.

You can use queue-based security only if you have installed IBM MQ and if a queue manager has been specified on the integration node or independent integration server. If you specify queue-based security and the queue manager is subsequently removed from the configuration while administration security is active, all access to the integration node or independent integration server is denied until a queue manager is specified again, or until you change to file-based security and set the required permissions.

To see the authorization mode that is currently in effect, use the mqsireportauthmode command.

When you change the authorization mode, you must specify all required permissions by using the new authorization mode; permissions that were set using a different authorization mode are not copied across to the new mode.

Settings made by this command take effect when the integration node or integration server is restarted.

Syntax

Parameters

integrationNodeName

(Required for an integration node) The name of the integration node to which the mode of administration security will apply.

-w workpath

(Required for an independent integration server) This parameter specifies the work directory for the integration server to which the mode of administration security will apply.

-b

(Required if -s is not set) Set administration security with authentication only. You must specify either -b (authentication only) or -s (authentication and authorization).

-s

(Required if -b is not set) Set administration security with authentication and authorization. You must specify either -s (for authentication and authorization) or -b (for authentication only).

If you specify -s active, administration security is enabled. Only user IDs that you authorize are permitted to complete actions on the integration node or server. Read, write, and execute authority is always granted on the integration node or server to all user IDs that belong to the security group mqbrkrs. You can also add further user ID authorizations. If you specify -s active, you must also specify the administration security mode by setting the -m parameter.

If you are using queue-based security, the queue SYSTEM.BROKER.AUTH.integration_server_name is created when you create an integration server on an integration node for which administrative security is enabled. Populate the queue with the appropriate user authorization.

If you specify -s inactive, administration security is not enabled. All users are able to complete all actions against the integration node and all integration servers.

If administration security is not enabled, web users can access the web user interface as the default user, with unrestricted access to data and integration node resources.

For more information about using security, see Administration security overview and Authorizing users for administration.

-m

(Optional) The administration security mode to be set. This parameter is required if -s active is specified.

Specify file mode to use file-based permissions, which are set using the mqsichangefileauth command.

Specify mq mode to use IBM MQ queues for setting permissions on an integration node. You can use queue-based security only if you have installed IBM MQ and if a queue manager has been specified on the integration node. If a queue manager is specified on the integration node, administration security is based on MQ queues by default, and the required queues used for setting authorization are created automatically when the integration node is created.

Responses

In addition to standard command responses, the following responses are returned by this command.

BIP8088 The mqsichangeauthmode command changes the authorization mode to be used for administration.

Authorization

For more information about platform-specific authorizations, see the following topics:

If you enable administration security, you must also set up the authority that is detailed in Tasks and authorizations for administration security.

Examples

Always enter the command on a single line; in some examples, line breaks have been added to enhance readability.

In the following example, administration security is enabled for authentication and authorization, and the file-based mode of security is set for the ACE11NODE integration node:

mqsichangeauthmode ACE11NODE -s active -m file

In the following example, administration security is enabled for authentication only, on the independent integration server whose work path is specified by the -w parameter:

mqsichangeauthmode -w myIntegrationServerWorkPath -b active