mqsichangeauthmode command

• Windows systems.
• Linux® and UNIX systems.
• z/OS®. Run this command by customizing and submitting BIPCHAM; see Contents of the integration node PDSE

Use the mqsichangeauthmode command to specify the mode of administration security that will be used for granting and revoking permissions, and to enable or disable administration security for the integration node.

You can grant and revoke permissions either by using WebSphere® MQ queues owned by the queue manager specified on the integration node, or by setting file-based or LDAP permissions with the mqsichangefileauth command. Before your integration node can use queue-based, file-based, or LDAP security, you must set the administration security mode by using the mqsichangeauthmode command.

You can use queue-based security only if you have installed WebSphere MQ and if a queue manager has been specified on the integration node. If you specify queue-based security and the queue manager is subsequently removed from the integration node while administration security is active (by using -q on the mqsichangebroker command), all access to the integration node is denied until a queue manager is specified on the integration node again, or until you change to file-based or LDAP security and set the required permissions.

To see which security mode is currently in effect, use the mqsireportauthmode command.

When you create an integration node, the default mode of administration security depends on whether a queue manager is specified on the integration node. If a queue manager has been specified, administration security for the integration node is based on WebSphere MQ queues by default, and the required queues used for setting authorization are created automatically when the integration node is created. If you create an integration node without specifying an associated queue manager, file-based administration security is used by default for the integration node.

When you change the authorization mode, you must specify all required permissions by using the new authorization mode; permissions that were set using a different authorization mode are not copied across to the new mode.

Ensure that the integration node is stopped before you run this command. Settings made by this command take effect when the integration node is restarted.

integrationNodeName

(Required) The name of the integration node to which the security permissions will apply.

 

-s

(Required) Specify the administrative security status for the integration node.

If you specify -s active, administration security is enabled. Only user IDs that you authorize are permitted to complete actions on the integration node. Read, write, and execute authority is always granted on the integration node to all user IDs that belong to the security group mqbrkrs. You can also add further user ID authorizations. If you specify -s active, you must also specify the administration security mode by setting the -m parameter to either file mode, mq mode, or ldap mode.

If you are using queue-based security, the queue SYSTEM.BROKER.AUTH.integration_server_name is created when you create an integration server on an integration node for which administrative security is enabled. Populate the queue with the appropriate user authorization.

If you specify -s inactive, administration security is not enabled. All users are able to complete all actions against the integration node and all integration servers.

If administration security is not enabled, web users can access the web user interface as the default user, with unrestricted access to data and integration node resources.

For more information about using security, see Administration security overview and Authorizing users for administration.

-m

(Optional) The administration security mode to be set for the specified integration node. This parameter is required only if -s active is specified.

Specify file mode to use file-based permissions, which are set using the mqsichangefileauth command. If you create an integration node without specifying an associated queue manager, file-based administration security is used by default for the integration node.

Specify mq mode to use WebSphere MQ queues for setting permissions. You can use queue-based security only if you have installed WebSphere MQ and if a queue manager has been specified on the integration node. If a queue manager is specified on the integration node, administration security is based on MQ queues by default, and the required queues used for setting authorization are created automatically when the integration node is created.

Specify ldap mode to use LDAP-based permissions, which are set using the mqsichangefileauth command.

 

• BIP8088 The mqsichangeauthmode command changes the authorization mode to be used for administration.

Always enter the command on a single line; in some examples, line breaks have been added to enhance readability.