Authorization service on Windows systems

On Windows systems:

Principal
Is a Windows user ID, or an ID associated with an application program running on behalf of a user.

Group
Is a Windows group.

Authorizations can be granted or revoked at the principal or group level.

Configuring authorization service stanzas: Windows systems

On WebSphere MQ for Windows each queue manager has its own stanza in the registry.

The Service stanza and the ServiceComponent stanza for the default authorization component are added to the Registry automatically, but can be overridden using mqsnoaut. Any other ServiceComponent stanzas must be added manually.

You can also add the SecurityPolicy attribute using the WebSphere MQ services. The SsecurityPolicy attribute applies only if the service specified on the Service stanza is the authorization service, that is, the default OAM. The SecurityPolicy attribute allows you to specify the security policy for each queue manager. The possible values are:

Default
Specify Default if you want the default security policy to take effect. If a Windows security identifier (NT SID) is not passed to the OAM for a particular user ID, an attempt is made to obtain the appropriate SID by searching the relevant security databases.

NTSIDsRequired
Requires that an NT SID is passed to the OAM when performing security checks.

For more general information about security, see Chapter 10, WebSphere MQ security.

The service component stanza, MQSeries.WindowsNT.auth.service defines the default authorization service component, the OAM. If you remove this stanza and restart the queue manager, the OAM is disabled and no authorization checks are made.


© IBM Corporation 1994, 2002. All Rights Reserved