The developerWorks Connections platform, which hosted the AIM Support Blog, was sunset as of 31st December 2019. The blog post below was something I wrote previously on that platform, and since I consider it to still be useful, I am now hosting a copy here. I have retained the original posting date but in this case have been unable to retain the original comments as the post had already been deleted by early December. View all saved from sunset posts here.
With the new feature in WebSphere MQ V7.1 called Channel Authentication Records (or CHLAUTH for short) there is a lot of talk about privileged users and administrator access. In this post I want to discuss how to create a non-privileged MQ administrator.
Before I begin let me define what I mean by each of those terms.
Privileged user
A privileged user is a user that has authorization to do an operation without being explicitly granted access to do that operation. The users in the mqm group are examples of these privileged users, but of course this does differ a little from platform to platform, so rather than using the term ‘mqm user’ I will use the term privileged user.
MQ Administrator
A lot of people use the term ‘administrator’ to mean a privileged user. In this post, I am using it to mean a person who has a need to issue administrative commands against WebSphere MQ, such as DEFINE QLOCAL or START CHANNEL. This person does not have to be a privileged user, as we will see.
Now let’s see how we can put the two together.
Creating a non-privileged MQ Administrator
Here are some simple steps to get you to the point where you have a non-privileged MQ Administrator:
- The first thing we need is a user ID on the queue manager machine that is not a privileged user. I will not show the commands to do this here as they are platform dependent. I will use the user ID ‘alice’ from the group ‘mqadmin’ for my example.
- Now that we have this user, there is a very quick way to grant this new user authority to issue all MQ admin commands.
- Start up the MQ Explorer using a privileged user.
- Navigate to the Role Based Wizard from the queue manager → Object Authorities → Add Role Based Authorities…
- In the wizard panel that pops up, enter the group name for the user or set of users that you wish to make into non-privileged MQ Administrators.
- This wizard can set up two different types of access, read-only access or full administrative access. We want full administrative access for our purposes.
- If you want to allow your non-privileged MQ Administrator to be able to browse messages on queues, also select that check box.
- Review the commands in the preview panel at the bottom of the wizard. You can cut and paste these commands to build your own scripts. One reason you may prefer to do this with your own script is to reduce the amount of access you give to this user. Perhaps rather than granting access to all objects, you might prefer to only grant access to a certain group of objects. Pressing OK on the wizard will actually issue the commands as they are shown.
- We assume the requirement for a non-privileged MQ Administrator is for remote access, so we’ll also want to set up some CHLAUTH rules to allow this remote access to use this user ID. We assume that we’re running with the recommendations made in CHLAUTH – the back-stop rule and that we just therefore need to add an enabling rule. The rule we create rather depends on how we choose to authenticate our remote MQ Administrators. Here are a couple of possibilities.
- If we are using password authentication (with an address check) then we might set up a CHLAUTH rule which looks like this:-
SET CHLAUTH(admin-channel-name) TYPE(ADDRESSMAP) ADDRESS('1.2.3.4') USERSRC(MAP) MCAUSER('alice') CHCKCLNT(REQUIRED) DESCR('Admin Channel - Password authentication') - If we are using SSL/TLS authentication then we might set up a CHLAUTH rule which looks like this:-
SET CHLAUTH(admin-channel-name) TYPE(SSLPEERMAP) SSLPEER('CN=Alice') ADDRESS('1.2.3.4') USERSRC(MAP) MCAUSER('alice') DESCR('Admin Channel - SSL authentication')
- If we are using password authentication (with an address check) then we might set up a CHLAUTH rule which looks like this:-
So now when someone connects into the admin-channel-name (and matches the CHLAUTH rules) they will be able to issue commands under the user ID ‘alice’ on the queue manager, and so privileged remote access is not required.
MQGem Software 