IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Enabling administration security

Enable administration security on a broker to control which users can complete specific tasks against that broker and its resources.

You can optionally enable administration security for a broker when you create it. If you decide to enable administrative security after you have created the broker, you can change the appropriate broker property.

When you create or change a broker, your user ID must be a member of the WebSphere® MQ control group mqm.

  1. To enable broker administration security when you create the broker, select the security option in the "Create broker" wizard in IBM® Integration Explorer, or specify the parameter -s active on the mqsicreatebroker command. For example, to create a broker called IB9NODE with security enabled on AIX®, enter the following command: 
    mqsicreatebroker IB9NODE -q IB9QMGR -s active
    The broker creates the authorization queue SYSTEM.BROKER.AUTH. This queue is used to define which users are authorized to perform an action on the broker.

    The broker also assigns default permissions of inquire, put, and set authority to this queue. These permissions grant read, write, and execute authority on the broker to all members of the mqbrkrs group. Therefore, you must ensure that at least one member of your broker administration team is a member of this group. You must also manage the membership of this group with care, and ensure that this level of authorization is granted only to users who require it.

    On z/OS®, these permissions are implemented as levels of authority in the external security manager (ESM) that you are using with WebSphere MQ. If you are using RACF® as your ESM, the levels are hierarchical: for example, ALTER access implies READ and WRITE access. You must therefore check the documentation for your ESM to understand the authorization levels that it supports. On distributed platforms, no equivalent hierarchy exists, and the three permissions are independent.

  2. To enable broker administration security on an existing broker:
    1. Stop the broker in the IBM Integration Explorer, or run the mqsistop command.
    2. Select the security option for this broker in the IBM Integration Explorer, or run the mqsichangebroker command, specifying the parameter -s active. For example, to enable security for the broker IB9NODE, enter the following command: 
      mqsichangebroker IB9NODE -s active
      The broker creates a queue for each defined integration server, with a name that conforms to the format SYSTEM.BROKER.AUTH.EG, where EG is the name of the integration server. It assigns default permissions of inquire, put, and set authority to the queue, which grants read, write, and execute access to the integration server and its properties, for the mqbrkrs group. These queues, and the broker authorization queue SYSTEM.BROKER.AUTH, are now ready for use.

      The names of queues that are generated for your integration servers might not match exactly the name of the integration servers, because WebSphere MQ enforces some restrictions on the authorization queue names. For details of these restrictions, and the possible effects, see Authorization queues for broker administration security.

    3. Start the broker in the IBM Integration Explorer, or run the mqsistart command.
  3. Check that the user ID under which your broker is running is a member of the WebSphere MQ security group mqm. Without this authority, the broker cannot create or delete the authorization queues for integration servers at run time.

    Because mqm authority grants full access control to all WebSphere MQ resources, you might not want your broker running with this level of authority. If you do not want the broker to run with mqm authority, you must work with your WebSphere MQ administrator to ensure that the required queues are created (and deleted) at the appropriate time.

    If you want to give your broker mqm authority:

    • On Linux and UNIX systems, add to mqm the user ID that started the broker.
    • On Windows, add to mqm the user ID that you specified as the service user ID. When you add this user ID, the same level of authority is granted to all user IDs defined in the same primary group. You must therefore control carefully your group memberships to ensure that access is not granted to user IDs that do not require it.
    • On z/OS, grant equivalent permissions to the started task user ID.
  4. Check also that the user ID associated with the broker, defined in the previous step, has WebSphere MQ altuser authority. This authority is required by the broker to request WebSphere MQ to check authorities.

    Display registry entries for a broker by using mqsireportbroker brokerName.

Next: Grant authority to users to reflect what tasks you want them to be able to complete, by populating the queues with the appropriate details. This task is described in Authorizing users for administration.
Parent topic: Setting up administration security
Related concepts:
Security overview
IBM Integration Bus permissions and equivalent WebSphere MQ permissions
Role-based security
Related tasks:
Authorizing users for administration
Disabling administration security
Starting and stopping a broker
Managing web user accounts
Related reference:
mqsicreatebroker command
mqsichangebroker command
mqsireportbroker command
Tasks and authorizations for administration security
Commands and authorizations for broker administration security
mqsiwebuseradmin command
Related information:
WebSphere MQ Version 7 product documentation
bp43600_.htm | Last updated Friday, 21 July 2017