You can optionally enable administration
security for a broker when you create it. If you decide to enable
administrative security after you have created the broker, you can
change the appropriate broker property.
When you create or change
a broker, your user ID must be a member of the WebSphere® MQ control group mqm.
- To enable broker administration security when you create
the broker, select the security option in the "Create broker" wizard
in IBM® Integration Explorer, or specify the parameter -s
active on the mqsicreatebroker command. For example, to create a broker called IB9NODE with security
enabled on AIX®, enter the following
command:
mqsicreatebroker IB9NODE -q IB9QMGR -s active
The broker creates the authorization queue SYSTEM.BROKER.AUTH. This queue is used to define
which users are authorized to perform an action on the broker.
The
broker also assigns default permissions of inquire, put, and set authority
to this queue. These permissions grant read, write, and execute authority
on the broker to all members of the mqbrkrs group.
Therefore, you must ensure that at least one member of your broker
administration team is a member of this group. You must also manage
the membership of this group with care, and ensure that this level
of authorization is granted only to users who require it.
On z/OS®, these
permissions are implemented as levels of authority in the external
security manager (ESM) that you are using with WebSphere MQ. If you are using RACF® as your ESM, the levels are hierarchical:
for example, ALTER access implies READ and WRITE access. You must
therefore check the documentation for your ESM to understand the authorization
levels that it supports. On distributed platforms, no equivalent hierarchy
exists, and the three permissions are independent.
- To enable broker administration security on an existing
broker:
- Stop the broker in the IBM Integration Explorer,
or run the mqsistop command.
- Select the security option for this broker in the IBM Integration Explorer, or run the mqsichangebroker command, specifying
the parameter -s active. For example,
to enable security for the broker IB9NODE, enter the following
command:
mqsichangebroker IB9NODE -s active
The broker creates a queue for each defined integration server,
with a name that conforms to the format SYSTEM.BROKER.AUTH.EG, where EG is
the name of the integration server. It assigns default permissions of
inquire, put, and set authority to the queue, which grants read, write,
and execute access to the integration server and its properties, for
the mqbrkrs group. These queues,
and the broker authorization queue SYSTEM.BROKER.AUTH, are now ready for use.
The
names of queues that are generated for your integration servers might
not match exactly the name of the integration servers, because WebSphere MQ enforces some restrictions on
the authorization queue names. For details of these restrictions,
and the possible effects, see Authorization queues for broker administration security.
- Start the broker in the IBM Integration Explorer,
or run the mqsistart command.
- Check that the user ID under which your broker is running
is a member of the WebSphere MQ security
group mqm. Without this
authority, the broker cannot create or delete the authorization queues
for integration servers at run time.
Because mqm authority
grants full access control to all WebSphere MQ resources,
you might not want your broker running with this level of authority.
If you do not want the broker to run with mqm authority,
you must work with your WebSphere MQ administrator
to ensure that the required queues are created (and deleted) at the
appropriate time.
If you want to give your broker mqm authority:
- On Linux and UNIX systems, add to mqm the user ID that started the broker.
- On Windows, add to mqm the user ID that you specified as
the service user ID. When you add this user ID, the same level of
authority is granted to all user IDs defined in the same primary group.
You must therefore control carefully your group memberships to ensure
that access is not granted to user IDs that do not require it.
- On z/OS, grant equivalent
permissions to the started task user ID.
- Check also that the user ID associated with the broker,
defined in the previous step, has WebSphere MQ altuser
authority. This authority is required by the broker to
request WebSphere MQ to check authorities.
Display registry entries for a broker by using mqsireportbroker brokerName.
Next: Grant authority to users
to reflect what tasks you want them to be able to complete, by populating
the queues with the appropriate details. This task is described in
Authorizing users for administration.