Check for new replies
Thread Rating:
  • 107 Vote(s) - 3.29 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Broker Administration Security
By default it’s assumed that for a broker administrator, it’s necessary for him to be part of “mqbrkrs” group and if the broker administrative task has something to do with the queue manager associated with the broker, then the user is required to be part of “mqm” as well.

This is true Smile but there is more to broker administrative security THAN  JUST BEING IN THESE 2 GROUPS. However let’s consider a few tasks and the corresponding groups to which the user id has to be a member of in the below table.

[Image: mQQRu5V.png]

So from the above examples we can make out that, if the administrative task involves anything to do with queue manager associated with the broker, then the user has to be part of “mqm” group along with “mqbrkrs” group.

Some of the other tasks which will need “mqm” group access would be

• Creating an execution group since it will involve creating default system queues for the execution group.
• Add or remove broker instance since it involves queue manager instance as well.

Now comes a few questions,    

1. What if I don’t need any administrative security? How to enable or disable it? If disabled, could anybody connect and deploy code to broker?

2. Once a user is part of mqbrkrs and mqm group, then he has full access to do anything with Broker and MQ. Wouldn't it be preferable to have differential access where a developer could be given access only to see what’s deployed or see the status of brokers, or message flows,  some users only to deploy , etc

To answer the first question

--> Broker administrative security is an optional feature and it can be enabled while creating broker or could be enabled later as well with mqsichangebroker command or through MB explorer.

Does that mean anybody could connect and deploy to Broker if admin security is not enabled?

Answer is No. The user id still needs permissions.

This can be accomplished however not through broker. This is done at the MQ level where a particular user id is given specific access or authorizations to a few particular queues.

To demonstrate this, let’s consider an example.

A Broker BROKER1 is created with Administrative security disabled. Let’s try connecting to the broker through a user id which doesn't have permissions.

To do the administrative tasks, there are a lot of options available. For the demo purpose , I would be using the Config Manager proxy exerciser.

Step 1: Create a local user id “BKRTest”  

Step 2: Create a broker BROKER1 with a user id which is a member of Mqbrkrs and mqm group.

Command: mqsicreatebroker.exe BROKER1 -i administrator -a password -q BROKER1QM

-i --> is for serviceUserId i.e the user ID that the broker runs under.
-a -->is for password.
-q --> queueManagerName  the WebSphere MQ queue manager that the broker will use.
-s --> is for administrative security. By default this parameter is inactive.
BROKER1QM queue manager will get created if it’s not already created.

[Image: VxBTwMQ.png]

Step 3: Start BROKER1 broker.

Command: mqsistart BROKER1

[Image: ry9ntAp.png]

Step 4: Create an execution group EG1 in Broker1 queue manager.

Command: mqsicreateexecutiongroup BROKER1 -e EG1

[Image: PAN17Oz.png]

Step 5: Start Configuration Manager Proxy Exerciser as “BKRTest” user.

Note: The Configuration Manager Proxy (CMP) is an application programming interface that your applications can use to control broker domains through a remote interface to the Configuration Manager.  We can connect to Broker, deploy and do many administrative tasks using CMP.

Open Broker command console as “BKRTest” user. (By right click and Run as)

[Image: KN1v1of.png]

[Image: NY8eaJh.png]

Navigate to C:\Program Files\IBM\MQSI\7.0\sample\ConfigManagerProxy in command prompt.

C:\Program Files\IBM\MQSI\7.0\sample\ConfigManagerProxy>StartConfigManagerProxyExerciser.bat

[Image: Vwb7SYi.png]

Step 5: Connect to Broker BROKER1 in CMP exerciser.

Click on File-->Connect to Local Broker-->Select BROKER1

[Image: SGCUPGU.png]

[Image: OhcI1La.png]

Step 6: It can be seen that CMP exerciser throws an error “2035” which means the user is not authorized to connect to the broker.

You must be wondering how is this  possible since we have disabled administrative security.

Step 7:  Open Command prompt through a user id part of mqm group and run the below commands to give “BKRTest” user the below authorisations.

setmqaut -m BROKER1QM -t qmgr -p BKRTest +connect +inq
setmqaut -m BROKER1QM -n SYSTEM.BROKER.DEPLOY.QUEUE -t queue -p BKRTest +put
setmqaut -m BROKER1QM -n SYSTEM.BROKER.DEPLOY.REPLY -t queue -p BKRTest +get +put

Step 7: Try connecting to the “BROKER1” broker again through CMP exerciser.

It can be seen that this time, we are able to connect to the broker, the details of the broker is populated in the CMP exerciser,

[Image: eu876sa.png]

Note: To deploy a BAR file, right click on the execution group and select DEPLOY BAR.

To summarize even without administrative security enabled, a user would need below permissions to do administrative tasks.

[Image: HCTGbGh.png]

Let’s get to the second question.

How to give differential access to users?

Example: A developer should be able to just view the broker and the deployed message flows where as admin should have full access.

For this Administrative security should be enabled in the first case.

Once this is enabled, it must be noted there is a specific queue “SYSTEM.BROKER.AUTH” where all the authorizations related to broker are stored. Also there is a queue created with execution group name -- “SYSTEM.BROKER.AUTH.EGname”. This stores authorizations for users for the execution group.
If you grant a group or a user ID authority at the broker level (on queue SYSTEM.BROKER.AUTH), it does not inherit authority for execution groups. You must explicitly grant authority to all, or to individual, execution groups. However wildcards can be used to give permissions to all the execution groups in one shot like “SYSTEM.BROKER.AUTH*”.

Broker Permission and the equivalent MQ permissions are as below:

[Image: d18jVUd.png]

To summarize an admin should have the below permissions (Connect, deploy, start and stop etc).

[Image: MNmnvt9.png]

Required authority for users who just connect to the broker and view the status:

[Image: qhsv9Fx.png]

Example: Let’s enable administrative security for BROKER1 and give the user “BKRTest” required permissions to first see the status , then perform start and stop tasks and finally permission to deploy BAR file.

Step 1: Stop Broker and  Enable admin security.

Mqsistop BROKER1
mqsichangebroker BROKER1 -s active

[Image: zldwOcF.png]

Step 2: Start broker and try to connect to the broker through CMP with “BKRTest” user ID

[Image: vRP858o.png]

It can be seen that even though, we are able to connect, the execution groups cannot be seen and there is an error thrown as below.

“BIP2852E: The user 'BKRTest' is not authorized to perform the requested operation 'view' against the object 'BROKER1' of type 'Broker'. The user 'BKRTest' needs to have 'Read' permission on the object 'BROKER1' of type 'Broker'”

Step 3: Give MQ permissions for the user “BKRTest” to read or see the status of broker and try to connect again through CMP by disconnecting and connecting again.

Since we have already given Connect and Inquire permissions for the queue manager, Put permission for SYSTEM.BROKER.DEPLOY.QUEUE and put and get permission to SYSTEM.BROKER.DEPLOY.REPLY queue, we will directly proceed to give permissions to SYSTEM.BROKER.AUTH queue.
setmqaut -m BROKER1QM -n SYSTEM.BROKER.AUTH -t queue -p BKRTest +inq

Disconnect and connect through CMP.

It can be seen that even though the status of broker can be seen, the status of Execution group or the deployed message flows cannot be seen in the CMP exerciser.

It also thrown an error “BIP2852E: The user 'BKRTest' is not authorized to perform the requested operation 'view' against the object 'EG1' of type 'ExecutionGroup'.

The The user 'BKRTest' needs to have 'Read' permission on the object 'EG1' of type 'ExecutionGroup'.”

[Image: WLCwwj8.png]

This means we have to give access to “SYSTEM.BROKER.AUTH.EG1” queue as well.

setmqaut -m BROKER1QM -n SYSTEM.BROKER.AUTH.EG1 -t queue -p BKRTest +inq

Right click on the broker and refresh in CMP exerciser.

[Image: QxgdQmf.png]

Step 4: Let’s try to start and stop execution group in CMP.

Right click on EG1 execution group in CMP and click stop.

[Image: 7yb9lRf.png]

It can be seen that the broker rejects the request.

Step 5: Let’s give the user ID “BKRTest” access to start and stop the broker and execution group.

setmqaut -m BROKER1QM1 -n SYSTEM.BROKER.AUTH -t queue –p BKRTest +set
setmqaut -m BROKER1QM -n SYSTEM.BROKER.AUTH.EG1 -t queue -p BKRTest +set

Try to stop Execution group through CMP.  Right click on EG1 execution group and click stop.
It can be seen that the execution group stops after this.

[Image: DPGUiaz.png]

Step 6: Let’s try and create a execution group (or deploy Bar file)
I would be trying to create a execution group. However deploying a BAR file should result in the same result which would an error since we haven’t given write permissions.

Right click on the broker in CMP and click create execution group.

It can be seen that broker rejects this request.

[Image: UChX5UZ.png]
Step 7: Let’s give the user ID “BKRTest” access to deploy, create or in general write access.

setmqaut -m BROKER1QM -n SYSTEM.BROKER.AUTH.EG1 -t queue -p BKRTest +put

Step 8: Try to create an execution group or deploy BAR file.
Let’s try Deploy this time. Right Click on the Execution group EG1 and select deploy bar file. Choose the Bar file to deploy.

[Image: hx3crUg.png]

It can be seen that the deployment is successful and the message flows are populated.

Now we have given all the permissions to the user “BKRTest” and he has full admin permissions. And Based on the requirements selective permissions can be given as demonstrated in the example above.

Thanks for the useful information and it is interesting. Could you please post more information on Message Broker components Admin.1

Check for new replies

Forum Jump:

Users browsing this thread: 1 Guest(s)