Security requirements for Linux and UNIX platforms

mqsicreatebroker

mqsideletebroker

mqsimigratecomponents

• Member of mqbrkrs and mqm.
• Using LDAP: Ensure that the registry is appropriately secured to prevent unauthorized access. The setting of LdapPrincipal and LdapCredentials parameters on mqsichangebroker is not required for correct operation of the broker. The password is not stored in clear text in the file system.

mqsichangebroker

• Member of mqbrkrs.
• If you specify the -s parameter to activate broker administration security, the user ID used to run this command must be a member of the mqm group, because several queues are created for use by the broker.
• Using LDAP: Ensure that the registry is appropriately secured to prevent unauthorized access. The setting of LdapPrincipal and LdapCredentials parameters on mqsichangebroker is not required for correct operation of the broker. The password is not stored in clear text in the file system.

mqsiaddbrokerinstance

mqsiremovebrokerinstance

• Member of mqbrkrs and mqm. Additionally, you need to make the uid and gid for this user ID the same on all the systems, and the user ID needs to be the same one that created the first instance of the multi-instance broker, using the mqsicreatebroker command.

• Change the uid and gid with caution, as it affects the permission levels of files on the system. Changing a uid or gid causes the ownership of all the files previously owned by that user or group to change to the integer of the previous owner of the file. Therefore, you must ensure that your system administrator manually restores the ownerships of the affected files and directories.

mqsibackupbroker

mqsirestorebroker

• Member of mqbrkrs.

mqsistart

mqsicvp

• Member of mqbrkrs.
• Member of mqm if the queue manager is not already running.

mqsistop

• Member of mqbrkrs. However, the root user ID can stop a broker without membership of mqbrkrs.
• The user ID must be the same as the user ID that started the broker.
• Member of mqm if -q is specified.

mqsicreateexecutiongroup

mqsideleteexecutiongroup

• Member of mqbrkrs.
• If broker administration security is active, the user ID that runs this command must be a member of the group mqm. If you do not want your broker to run with mqm authority, you must work with your WebSphere® MQ administrator to create or delete the appropriate authority queue when you create or delete an integration server.

mqsistartmsgflow

mqsistopmsgflow

• Member of mqbrkrs.

mqsicreateconfigurableservice

mqsideleteconfigurableservice

• Member of mqbrkrs.

mqsilist

• Member of mqbrkrs.

mqsireportbroker

mqsireportproperties

mqsireportflowmonitoring

mqsireportflowstats

mqsireportflowuserexits

mqsireportresourcestats

• Member of mqbrkrs.

mqsichangeproperties

mqsichangeflowmonitoring

mqsichangeflowstats

mqsichangeflowuserexits

mqsichangeresourcestats

• Member of mqbrkrs.

mqsisetdbparms

• Member of mqbrkrs.

• Member of mqbrkrs.

mqsimode

• Member of mqbrkrs.

mqsideploy

• Member of mqbrkrs.

mqsireload

mqsireloadsecurity

• Member of mqbrkrs.

mqsichangetrace

mqsireporttrace

mqsireadlog

mqsiformatlog

• Member of mqbrkrs.

mqsimanagexalinks

• Root user.

mqsisetsecurity

• Root user.

mqsicacheadmin

• Member of mqbrkrs.

mqsipackagebar

• Member of mqbrkrs.
• The user ID must have WRITE access to the -w (root location), -a (BAR file location), and -v (trace file location) directories.

mqsiwebuseradmin

• Member of mqbrkrs.

• Not applicable

• Member of mqbrkrs.
• The broker runs under the login ID that started it.

• Not applicable

• Login ID must be mqm.
• mqm must be a member of mqbrkrs.