Setting up the WebSphere MQ Explorer

This section outlines the steps you need to take to set up the WebSphere MQ Explorer.

Prerequisite software

Before you can use the WebSphere MQ Explorer, you must have the following installed on your computer:

• The Microsoft Management Console Version 1.1 or higher (installed as part of WebSphere MQ for Windows installation)
• Internet Explorer Version 4.01 (SP1) (installed as part of WebSphere MQ for Windows installation)

The WebSphere MQ Explorer can connect to remote queue managers using the TCP/IP communication protocol only.

Table 3 summarizes the platforms and command levels that support the WebSphere MQ Explorer.

Table 3. Platforms and command levels

The WebSphere MQ Explorer handles the differences in the capabilities between the different command levels and platforms. However, if it encounters a value that it does not recognize as an attribute for an object, you cannot change the value of that attribute.

Required definitions for administration

Ensure that you have satisfied the following requirements before trying to use the WebSphere MQ Explorer. Check that:

1. A command server is running for any queue manager being administered.
2. A suitable TCP/IP listener exists for every remote queue manager. This can be the WebSphere MQ listener or the inetd daemon as appropriate.
3. The server-connection channel, called SYSTEM.ADMIN.SVRCONN, exists on every remote queue manager. This channel is mandatory for every remote queue manager being administered. Without it, remote administration is not possible.

   You can create the channel using the following MQSC command:

   DEFINE CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN)
   

   This command creates a basic channel definition. If you want a more sophisticated definition (to set up security, for example), you need additional parameters.

Cluster membership

The WebSphere MQ Explorer needs to maintain up-to-date administration data about clusters so that it can communicate effectively with them and display correct cluster information when requested. In order to do this, the WebSphere MQ Explorer needs the following information from you:

• The name of a repository queue manager
• The connection name of the repository queue manager if it is on a remote queue manager

With this information, the WebSphere MQ Explorer can:

• Use the repository queue manager to obtain a list of queue managers in the cluster.
• Administer the queue managers that are members of the cluster and are on supported platforms and command levels.

Administration is not possible if:

• The chosen repository becomes unavailable. The WebSphere MQ Explorer does not switch to an alternative repository.
• The chosen repository cannot be contacted over TCP/IP.
• The chosen repository is running on a queue manager that is running on a platform and command level not supported by the WebSphere MQ Explorer.

The cluster members that can be administered can be local, or they can be remote if they can be contacted using TCP/IP. The WebSphere MQ Explorer connects to local queue managers that are members of a cluster directly, without using a client connection.

Security

If you are using WebSphere MQ in an environment where it is important for you to control user access to particular objects, you might need to consider the security aspects of using the WebSphere MQ Explorer.

Authorization to run the WebSphere MQ Explorer

Before the WebSphere MQ Explorer is enabled, you must:

• Ensure that chosen users have the correct level of authorization. This means being one of the following:
  • A member of the mqm group
  • A member of the Administrators group on the machine running the WebSphere MQ Explorer

Group membership at logon time is used for authorization purposes. If you change the membership so that a user can access the WebSphere MQ Explorer, that user must log off and log back on again.

Security for connecting to remote queue managers

The WebSphere MQ Explorer connects to remote queue managers as an MQI client application. This means that each remote queue manager must have a definition of a server-connection channel and a suitable TCP/IP listener. If you do not specify a nonblank value for the MCAUSER attribute of the channel, or use a security exit, it is possible for a malicious application to connect to the same server connection channel and gain access to the queue manager objects with unlimited authority.

The default value of the MCAUSER attribute is a blank. If you specify a nonblank user name as the MCAUSER attribute of the server connection channel, all programs connecting to the queue manager using this channel run with the identity of the named user and have the same level of authority.

Using a security exit

A more flexible approach is to install a security exit on the server-connection channel SYSTEM.ADMIN.SVRCONN on each queue manager that is to be administered remotely. For information on the supplied security exit, including detailed instructions on setting up and using it, see WebSphere MQ for Windows, V5.3 Quick Beginnings.

Data conversion

When the connection to a queue manager is established, the queue manager's CCSID is also established. This enables the WebSphere MQ Explorer to perform any character set conversions needed to display the data from remote queue managers correctly.

The tables for converting from the UNICODE CCSID to the queue manager CCSID (and vice versa) must be available to the WebSphere MQ Explorer machine otherwise the WebSphere MQ Explorer cannot communicate with the queue manager.

An error message is issued if you try to establish a connection between the WebSphere MQ Explorer and a queue manager with a CCSID that the WebSphere MQ Explorer does not recognize.

Supported conversions are described in the WebSphere MQ Application Programming Reference manual.