Update: IBM has reconsidered and has announced that dmpmqcfg will be fixed as a defect! Subscribe if you would like a notification when the fix is announced. But please do read the post, especially if you are using amqoamd for anything.
Most of the time when someone says “security” they are actually thinking of intrusion detection – the parts that keep unauthorized people out of the system. But security is so much more than that. We need to know if our security fails. That part is intrusion detection. After an incident we want to be able to determine how it happened and what to fix so it doesn’t happen again. The logging and accountability functions are what support that forensic analysis. Of course we also need to recover from an incident. That’s the business continuity aspect. All of these fall under the broad security umbrella and any security assessment that I perform includes aspects of all of these.
But there is an implicit assumption that that the tools to perform these functions are available. In particular, the ability to back up a configuration for later recovery is something so fundamental that many people consider it part of the baseline functionality of any Enterprise-class product. But what if it’s not? Or worse, what if you think it is but the provided tools do not actually do what you are expecting? Would you know?
If your shop is concerned about the security of the WebSphere MQ network, then chances are you consciously and deliberately configure your queue managers to prevent administration by adjacent queue managers in the network. If you do not routinely do this, then by default compromise of any one queue manager on the network compromises the entire network. Such a compromise would include any FTE, Broker, Advanced Message Security or other components or applications that can be administered by sending messages to their command queues.
The only problem is, IBM does not currently provide a tool in the product that back these security settings up accurately. There are two tools documented in the WebSphere MQ Infocenter and a Technote which are describes as providing configuration backup functionality. Assuming you want that backup to be complete, both are broken. IBM has officially responded in both cases that they are working as designed.