Home
Stopping your queue manager putting messages to remote queues
- WebSphere MQ for z/OS
- Use RACF to prevent your queue manager putting messages to a remote queue. With RACF we can set up permissions for a named queue regardless of whether that queue exists on your system. The authorization required is MQOO_OUTPUT.
- Platforms other than z/OS
- On these platforms we cannot restrict access to individual queues that do not exist on your queue manager. However, we can restrict access to all the queues in a cluster. For example, on queue manager CORK, to grant the user MYUSER access to the queues in a cluster, issue the following setmqaut commands:
setmqaut -m CORK -t qmgr -p MYUSER +connect +inq setmqaut -m CORK -n SYSTEM.CLUSTER.TRANSMIT.QUEUE -t queue -p MYUSER +putOn iSeries, the equivalent CL commands are:
GRTMQAUT OBJ(CORK) OBJTYPE(*MQM) USER(MYUSER) + AUT(*CONNECT *INQ) GRTMQAUT OBJ(SYSTEM.CLUSTER.TRANSMIT.QUEUE) OBJTYPE(*Q) + USER(MYUSER) AUT(*PUT) MQMNAME(CORK)Set access in this way allows the user MYUSER to put messages to any queue in the cluster.
It is possible to avoid the need to give general access to all cluster resources and +Put access to the transmit queue. You do this by defining alias or remote queue definitions on your machine which resolve to queues in the cluster, and giving the appropriate authority for access to these instead of the cluster transmit queue. For example, suppose there is a queue called Q1 in the clusters to which your queue manager CORK belongs. If you
DEFINE QALIAS(Q1) TARGQ(Q1) DEFBIND(NOTFIXED)and thensetmqaut -m CORK -t qmgr -p GUEST +connect setmqaut -m CORK -t queue -n Q1 -p GUEST -all +putThe user GUEST would only be able to send messages to the cluster queue Q1.Note that it is not possible to use the same technique for a queue manager alias, because this requires access to the underlying SYSTEM.CLUSTER.TRANSMIT.QUEUE queue.
Parent topic:
Keeping clusters secure
qc11430_
Home