Passing user IDs to IBM MQ

IBM MQ grants access based on the user’s ID.

In each queue manager profile, you can specify which user ID is passed to IBM MQ. For more information, see Managing-queue-manager-profiles. These values are described in the following table:

ID	Value
PAS	ID that is associated with the BBI-SS PAS that is passed to IBM MQ For each queue manager that uses this option, the PAS ID must have the IBM MQ authorizations that are described in the following sections. Each individual user’s access to IBM MQ objects and commands can be controlled through MainView for MQ. For more information, see the MainView Security Guide and the MainView Security Reference Manual.
USER	ID that is associated with the TSO session that is connected to the BBI-SS PAS that is passed to IBM MQ This ID allows your existing security definitions in IBM MQ to determine access to IBM MQ objects and commands. The TSO user ID is treated as an alternate user ID. For each queue manager that uses this option, perform the following steps: If the IBM MQ alternate user switch profile is not defined, add resource profiles to the MQADMIN class and authorize the BBI-SS PAS ID for UPDATE access to the profiles. The format for these resources is: ssidALTERNATE.USER.alternateUserid An example of a resource definition is CSQ1.ALTERNATE.USER.* If the command security switch profile is not defined, add command profiles for the DISPLAY verb and authorize the BBI-SS PAS ID for READ access to those profiles. For more information, see Defining-command-profiles. Using the USER keyword for distributed (AGENT) definitions causes the user ID that is associated with the TSO session to be passed to the distributed system for security checks. The user ID must be defined on the distributed system for security checking to process correctly. For the AGENT queue manager, regardless of the option specified for the security user ID (PAS\|USER) statement in the queue manager profile (QMPROF), the BBI-SS PAS user ID must be defined on the AGENT machine (using all lowercase letters). Note: If the PAS user ID is not defined on AGENT machine, you would see the following messages on the distributed system where bbiss represents the BBI-SS PAS user ID: szOUserName = bbiss UserId = bbiss begin of Get_NT_SID end of GET_NT_SID rc = false Get_NT_SID failed: reason = EXRC_INVALID_USERID ExecutePcf failed. Reason = 20059, Command = 10020 If PAS user ID is not defined on Agent machine, you would see the following messages on MainView for MQ, when you are trying to retrieve data back from the AGENT: BBMXB614E Error detected in selector during RefreshBegin - Related:BBSAC903E QueueManager Connect Failure Context: BRENT --Related:BBSAAA16E Queue Manager not responding to heart beat Target: BRENT

Value

PAS

ID that is associated with the BBI-SS PAS that is passed to IBM MQ

For each queue manager that uses this option, the PAS ID must have the IBM MQ authorizations that are described in the following sections.

Each individual user’s access to IBM MQ objects and commands can be controlled through MainView for MQ. For more information, see the MainView Security Guide and the MainView Security Reference Manual.

USER

ID that is associated with the TSO session that is connected to the BBI-SS PAS that is passed to IBM MQ

This ID allows your existing security definitions in IBM MQ to determine access to IBM MQ objects and commands. The TSO user ID is treated as an alternate user ID.

For each queue manager that uses this option, perform the following steps:

If the IBM MQ alternate user switch profile is not defined, add resource profiles to the MQADMIN class and authorize the BBI-SS PAS ID for UPDATE access to the profiles.
The format for these resources is:
ssidALTERNATE.USER.alternateUserid
An example of a resource definition is
CSQ1.ALTERNATE.USER.*
If the command security switch profile is not defined, add command profiles for the DISPLAY verb and authorize the BBI-SS PAS ID for READ access to those profiles.

For more information, see Defining-command-profiles.

Using the USER keyword for distributed (AGENT) definitions causes the user ID that is associated with the TSO session to be passed to the distributed system for security checks. The user ID must be defined on the distributed system for security checking to process correctly.

For the AGENT queue manager, regardless of the option specified for the security user ID (PAS|USER) statement in the queue manager profile (QMPROF), the BBI-SS PAS user ID must be defined on the AGENT machine (using all lowercase letters).

Note: If the PAS user ID is not defined on AGENT machine, you would see the following messages on the distributed system where bbiss represents the BBI-SS PAS user ID:

szOUserName = bbiss
UserId = bbiss
begin of Get_NT_SID
end of GET_NT_SID rc = false
Get_NT_SID failed: reason = EXRC_INVALID_USERID ExecutePcf failed. Reason = 20059, Command = 10020

If PAS user ID is not defined on Agent machine, you would see the following messages on MainView for MQ, when you are trying to retrieve data back from the AGENT:

BBMXB614E Error detected in selector during RefreshBegin

- Related:BBSAC903E QueueManager Connect Failure Context: BRENT

--Related:BBSAAA16E Queue Manager not responding to heart beat Target: BRENT

Passing user IDs to IBM MQ

On this page