IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Activating broker administration security for WebSphere MQ Version 7.1, or later

Describes how to enable channel authentication security and the effect of this on a broker queue manager.

When you create a broker, if the WebSphere® MQ queue manager does not exist, the queue manager is automatically created. If WebSphere MQ Version 7.1, or later, has been selected for the queue manager, the channel authentication security will be automatically disabled.

If more precise control over the access granted to connecting systems is required at a channel level, channel authentication security can be enabled. For more details, see WebSphere MQ Version 7.1 Channel authentication records

To enable channel authentication security in order to start using channel authentication records you must run this MQSC command:

ALTER QMGR CHLAUTH(ENABLED

Once enabled, there will be consequences for any channel based communication with a broker. However, this should not affect any privileged or non-privileged user from accessing local brokers. See following table for a definition of privileged users who have full administrative authorities:

Table 1. . Privileged users by platform.
Platform Privileged users
Windows systems
  • SYSTEM
  • Members of the mqm group
  • Members of the Administrators group
UNIX and Linux systems
  • Members of the mqm group

Privileged or non-privileged users wanting to remotely administer a broker by means of CMP/API/MBX/Toolkit must run the following commands in order to grant their user access:

  1. Enable remote administration on Queue Manager
  2. setmqaut -m QMNAME -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue -p username +dsp +inq +put +get
  3. Start of changesetmqaut -m QMNAME -n SYSTEM.BROKER.DEPLOY.QUEUE -t queue -p username +dsp +inq +put +getEnd of change
  4. Start of changesetmqaut -m QMNAME -n SYSTEM.BROKER.DEPLOY.REPLY -t queue -p username +dsp +inq +put +getEnd of change
  5. SET CHLAUTH('SYSTEM.BKR.CONFIG')TYPE(ADDRESSMAP)ADDRESS('address-of-machine-who-is-allowed')MCAUSER('NonPrivilegedUser')ACTION(ADD)

    Where 'NonPrivilegedUser' is a user defined on the remote machine.

The rule would need to be set up for any ip-address wanting to administer the broker remotely.
Parent topic: Administration security
Related concepts:
Security overview
Related reference:
mqsicreatebroker command
bk58230_.htm | Last updated Friday, 21 July 2017