Implementing WebSphere MQ security on IBMi(AS/400)

Technote (troubleshooting)


Problem(Abstract)

This document describes the two classes of WebSphere MQ commands and how to grant authority to the category 1(administrator) and category 2 (non-administrator) class commands.

Resolving the problem

These changes can be implemented once you have MQSeries V5.2 PTF SF67225 or higher applied to your system. This function is part of the base product for V5.3, V6.0 and V7.x As documented in APAR SA95336 there now exists two categories of commands:
______________________________________________________________________

Category One commands are the commands that require an MQ administrator's
authority, by way of the QMQMADM group profile, or OS/400 *ALLOBJ authority. These commands are as follows:



CHGMQMCHL DLTMQMCHL RSVMQMCHL CRTMQMCHL
CPYMQMCHL ENDMQMCSVR GRTMQMAUT RFRMQMAUT
CRTMQM STRMQMCSVR RVKMQMAUT STRMQMTRM
DLTMQM ENDMQM STRMQM TRCMQM
RCDMQMIMG RCRMQMOBJ STRMQMDLQ STRMQMMQSC
WRKMQMTRN
_____________________________________________________________________

Category Two are the commands that only require *USE authority to the OS/400 command and the appropriate MQ authority to the MQ object being operated on(like queue, process, and so on.)

NOTES:
If you do not desire to give *PUBLIC authority you can substitute a specific user profile.
Be sure to replace QMGRNAME with your specific qmanager name.
Be sure to replace QNAME with your specific queue(lcl,rmt,and so onb) name.
Be sure to replace MODELQNAME with your specific model queue name.
Be sure to replace INITQNAME with your specific initiation queue name.
Be sure to replace XMITQNAME with your specific transmit queue name.
Be sure to replace NAMELIST with your specific name list.
Be sure to replace PROCESS with your specific process name.


Specific How-To's

Commands: MQGET, MQPUT
To PUT/GET to/from queues:
GRTMQMAUT OBJ(QNAME) OBJTYPE(*Q) USER(*PUBLIC) AUT(*GET *PUT)
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT(*CONNECT)
To PUT/GET to/from model queues:
GRTMQMAUT OBJ(MODELQNAME) OBJTYPE(*Q) USER(*PUBLIC) AUT(*GET *PUT *ADMDSP)
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT(*CONNECT *ADMCRT)

Commands: ALL
Enable *DFT to be accepted from commands:
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT( *ADMDSP)

Commands: DSPMQM*, WRKMQM* (Except WRKMQMTRN)
1. Grant OS/400 auth to all display and work commands
GRTOBJAUT OBJ(DSPMQM...) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(WRKMQM...) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
2. Grant MQ auth to all queues and the QMGR
GRTMQMAUT OBJ(*ALL) OBJTYPE(*Q) USER(*PUBLIC) AUT(*ADMDSP)
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT(*CONNECT *ADMDSP)
Additionally for WRKMQMMSG you must issue:
GRTMQMAUT OBJ(*ALL) OBJTYPE(*Q) USER(*PUBLIC) AUT(*BROWSE *GET)
Additionally for WRKMQMCHST you must issue
RCRMQMOBJ OBJ(*ALL) OBJTYPE(*SYNCFILE) MQMNAME(QMGRNAME)
Note: All channels should be inactive before performing the preceding step.


Commands: STRMQMLSR, ENDMQMLSR, RSTMQMCHL
1. Grant OS/400 authority to commands
GRTOBJAUT OBJ(STRMQMLSR) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(ENDMQMLSR) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(RSTMQMCHL) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
Additionally for ENDMQMLSR you must
GRTOBJAUT OBJ(ENDMQLSR) OBJTYPE(*PGM) USER(*PUBLIC) AUT(*USE)
Note: No MQ auth is needed to use these commands.

Commands: PNGMQMCHL, STRMQMCHLI
1. Grant OS/400 authority to commands
GRTOBJAUT OBJ(PNGMQMCHL) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(STRMQMCHLI) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
2. Grant MQ authority to the QMGR
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT(*INQ)
Additionally for STRMQMCHLI you must issue
GRTMQMAUT OBJ(INITQNAME) OBJTYPE(*Q) USER(*PUBLIC) AUT(*ALLMQI)

Commands: STRMQMCHL, ENDMQMCHL
1. Grant OS/400 auth to commands
GRTOBJAUT OBJ(STRMQMCHL) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(ENDMQMCHLI) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
2. Grant MQ auth to the QMGR
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT(*CONNECT)
Additionally for these commands you must
GRTMQMAUT OBJ(XMITQNAME) OBJTYPE(*Q) USER(*PUBLIC) AUT(*ALLMQI)

Commands: CCTMQM, DSCMQM, CVTMQMDTA
Grant OS/400 auth to commands
GRTOBJAUT OBJ(CCTMQM) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(DSCMQM) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(CVTMQMDTA) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
Additionally for CVTMQMDTA you must issue
GRTOBJAUT OBJ(CRTMQCVX) OBJTYPE(*PGM) USER(*PUBLIC) AUT(*USE)

Commands: CHGMQM, CHGMQMNL, CHGMQMPRC, CHGMQMQ, CLRMQMQ
1. Grant OS/400 auth to commands
GRTOBJAUT OBJ(CHGMQM) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(CHGMQMNL) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(CHGMQMPRC) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(CHGMQMQ) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(CLRMQMQ) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
2. Grant MQ auth to the QMGR for CHGMQM
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT(*CONNECT *ADMDSP *ADMCHG)
2b. Grant MQ auth to the QMGR for all other CHANGE and CLEAR commands
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT(*CONNECT)
2c. Grant MQ auth to mq objects
GRTMQMAUT OBJ(NAMELIST) OBJTYPE(*NMLIST) USER(*PUBLIC) AUT(*ADMDSP *ADMCHG)
GRTMQMAUT OBJ(PROCESS) OBJTYPE(*PRC) USER(*PUBLIC) AUT(*ADMDSP *ADMCHG)
GRTMQMAUT OBJ(QNAME) OBJTYPE(*Q) USER(*PUBLIC) AUT(*ADMDSP *ADMCHG *ADMCLR)

Commands: CPYMQMNL, CPYMQMPRC, CPYMQMQ, CRTMQMNL, CRTMQMQ
1. Grant OS/400 auth to commands
GRTOBJAUT OBJ(CPYMQMNL) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(CPYMQMPRC) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(CPYMQMQ) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(CRTMQMNL) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(CRTMQMPRC) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(CRTMQMQ) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
2. Grant MQ auth to the QMGR
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT(*CONNECT *ADMCRT)
2b. Grant MQ auth to mq objects for COPY commands
GRTMQMAUT OBJ(From_NAMELIST) OBJTYPE(*NMLIST) USER(*PUBLIC) AUT(*ADMDSP)
GRTMQMAUT OBJ(From_PROCESS) OBJTYPE(*PRC) USER(*PUBLIC) AUT(*ADMDSP)
GRTMQMAUT OBJ(From_QNAME) OBJTYPE(*Q) USER(*PUBLIC) AUT(*ADMDSP)
2c. Grant MQ auth to mq objects for CREATE commands
GRTMQMAUT OBJ(SYSTEM.DEFAULT.NAMELIST) OBJTYPE(*NMLIST) USER(*PUBLIC) AUT(*ADMDSP)
GRTMQMAUT OBJ(SYSTEM.DEFAULT.PROCESS ) OBJTYPE(*PRC) USER(*PUBLIC) AUT(*ADMDSP)
GRTMQMAUT OBJ(SYSTEM.DEFAULT.*.QUEUE) OBJTYPE(*Q) USER(*PUBLIC) AUT(*ADMDSP)
(* Denotes type of queue LOCAL, REMOTE, MODEL, and so on.)

Commands: RFRMQMCL, RSMMQMCLQM, RSTMQMCL, SPDMQMCLQM
1. Grant OS/400 auth to commands
GRTOBJAUT OBJ(RFRMQMCL) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(RSMMQMCLQM) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(RSTMQMCL) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(SPDMQMCLQM) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
2. Grant MQ auth to the QMGR
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT(*CONNECT)

Commands: DLTMQMNL, DLTMQMPRC, DLTMQMQ
1. Grant OS/400 auth to commands
GRTOBJAUT OBJ(DLTMQMNL) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(DLTMQMPRC) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
GRTOBJAUT OBJ(DLTMQMQ) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
2. Grant MQ auth to the QMGR
GRTMQMAUT OBJ(QMGRNAME) OBJTYPE(*MQM) USER(*PUBLIC) AUT(*CONNECT)
2b. Grant MQ auth to mq objects for DELETE commands
GRTMQMAUT OBJ(NAMELIST) OBJTYPE(*NMLIST) USER(*PUBLIC) AUT(*ADMDLT)
GRTMQMAUT OBJ(PROCESS ) OBJTYPE(*PRC) USER(*PUBLIC) AUT(*ADMDLT)
GRTMQMAUT OBJ(QNAME) OBJTYPE(*Q) USER(*PUBLIC) AUT(*ADMDLT)

Product Alias/Synonym

WMQ MQ WMQ/IBMi

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere MQ
Security

Software version:

6.0, 7.0, 7.0.1, 7.1

Operating system(s):

IBM i, OS/400, i5/OS, iSeries

Software edition:

All Editions

Reference #:

1081480

Modified date:

2014-10-17

Translate my page

Machine Translation

Content navigation