Update to MQ Security Heats Up comment thread

There’s a comment thread going on over at the “WebSphere MQ Security Heats Up” post regarding the script settings as originally published versus the updates I have posted on this site.

RKPowers writes “I am still confused about the +set option on the QMgr. I think what you are saying is that we need to use different security settings for different versions of WMQ. Thus, we should include +set for versions of WMQ prior to V7, and omit it for V7.”

The only way to explain this is with links back to the WMQ v6.0 docs and that requires a new post instead of comments.  Here goes…

The Channel Security page says that…

This remote system user ID must be recognized by the target system and have the authority to connect to the queue manager, make inquiries, set attributes, and set context options (+connect, +inq, +set, and +setall). It must also have authority to put messages and set context information (+put and +setall) for the destination and dead-letter queues.

This is the source of information for the original script in which the comment and setmqaut lines were as follows:

# Allow MCAUSER to connect.  Needs +set and +setall per IBM docs.
setmqaut -m QMGR -g mqmmca -t qmgr -all +connect +inq +set +setall

The problem here is that the queue manager in v6.0 does not actually have any API-settable attributes.  This is confirmed in the Setting queue attributes page which states that “You cannot use the MQI to set the attributes of WebSphere MQ objects other than locally-defined queues.”  This is also corroborated in the Programmer’s Reference manual where the MQSET call is documented and the manual states “Use the MQSET call to change the attributes of an object represented by a handle. The object must be a queue.”

Short answer, the documentation is wrong.  Not only does the MCA not require +set on the queue manager in v6.0, setting queue manager attributes via the MQ API is not even possible at this version.  I’ll open up a PMR and see if I can get that changed. [Update 27 Feb, 2009:  PMR – 89278,082,000 was opened]

There are a couple of other inconsistencies in the scripts that I need to clean up.  For starters, they can’t seem to decide if they are read-only or read/write based on differences in whether the +put option is set.  I need to work on them but won’t have time this weekend since I’m flying out Sunday and need to get the podcast produced before then.  Hopefully next weekend I’ll be able to update them again.

This entry was posted in Errata, IBMMQ, WMQ Security and tagged , , , , , . Bookmark the permalink.

Leave a Reply