Security concerns when using the WebSphere MQ Explorer for remote administration of a Queue Manager
You want to be certain that only authorized users can perform remote administration on your queue managers. Or you are having authorization problems when performing remote administration and receiving the following return codes:
2035 0x000007f3 MQRC_NOT_AUTHORIZED
Resolving the problem
Remote administration using the WebSphere MQ Explorer
Note: WebSphere MQ v6.0 and above supports remote administration of a z/OS queue manager using the WebSphere MQ Explorer. Prior releases of WebSphere MQ for z/OS do not provide this function.
Controlling access to your WebSphere MQ z/OS queue manager
Setting the permissions on the SYSTEM.MQEXPLORER.REPLY.MODEL is the way to control which users can use the Explorer to manage your z/OS queue manager. This Model Queue only exists on WebSphere MQ for z/OS v6.0 and above.
Any user may use the WebSphere MQ Explorer administration tool. However, certain authorities are required to connect, access and manage a queue manager through the WebSphere MQ Explorer.
Users in the 'mqm' group automatically have all of the required authority to manage queue managers on the local machine. When the user is not a member of the 'mqm' group or when WebSphere MQ Explorer is being used to manage remote queue managers, the resolved userid must have the required authority to perform the actions selected.
On Distributed queue managers
To connect to a queue manager, the userid running the WebSphere MQ Explorer requires the following authorities on the target queue manager:
- CONNECT authority on the queue manager object
- INQUIRE authority on the queue manager object
- OUTPUT authority on SYSTEM.ADMIN.COMMAND.QUEUE
- DISPLAY and INPUT authority on SYSTEM.MQEXPLORER.REPLY.MODEL
Users using the MQ Explorer must have the appropriate authority to issue the commands corresponding to the actions that they choose. An attempt to perform an operation for which the user does not have authority will result in the authorization failure procedures being invoked on the target queue manager, and the operation will fail.
When viewing objects within the explorer, as the default filter is to display all objects, then any objects for which the user does not have display authority will generate an authorization failure. If authorization events are being recorded, then it is recommended that users restrict the range of objects they display to those objects to which they have display authority.
On z/OS queue managers
For z/OS Queue Managers you must provide RACF profiles for these queue names:
The userids of those using WebSphere MQ Explorer must have:
- RACF UPDATE access to the above queue names
- RACF UPDATE access to the SYSTEM.ADMIN.COMMAND.QUEUE
- CONNECT authority to the Queue Manager
- Authority to issue the commands corresponding to the actions that they choose
- READ access to all the hlq.DISPLAY.object profiles in the MQCMDS class because the utility uses the various DISPLAY commands to gather the information that it presents.
For additional information that explains how to configure remote administration of a queue manager from the WebSphere MQ Explorer on Windows see the Troubleshooting hints and tips in the following Technote: Documentation required by the WebSphere MQ team for a problem with Windows Remote Administration using the WebSphere MQ Explorer.
More support for:
MQ Explorer / Remote admin
Software version: 3.0, 5.3, 6.0, 7.0, 7.0.1, 7.1
Operating system(s): AIX, HP-UX, IBM i, Linux, OpenVMS, Solaris, Tandem NSK, VSE, Windows, z/OS
Reference #: 1206842
Modified date: 16 April 2013