As of version 7.1 of MQ, the default security configuration is more restrictive and as such will probably need to be modified further before you can get a successful connection via a channel that has mcauser('mqm').
Refer to the WebSphere MQ documentation for further information if you still want to use the ‘mqm’ user. It is recommended that you create a new user for LAMAXU to user and apply the OAM authorities as described below.
Please replace the values below with the correct ones for your installation.
{qmgr} Queue Manager Name
{User} The MQ user being used by Lamaxu
Enable Queue Manager Monitoring and Statistics
The MONQ and MONCHL must be set to MEDIUM or higher to enable MQ to publish the Status and event information.
Use the MQSC commands below to modify the queue manager configuration and restart the LAMAXU agent.
ALTER QMGR CHLEV(ENABLED) +
MONCHL(MEDIUM) +
MONQ(MEDIUM) +
PERFMEV(ENABLED) +
STATCHL(MEDIUM) +
STATQ(ON) +
FORCE
MQ8/9 Unauthenticated Channel Setup
To disable the security on the SVRCONN channels execute the following runmqsc commands below.
Note: this should only be performed in DEV for testing purposes.
ALTER AUTHINFO('SYSTEM.DEFAULT.AUTHINFO.IDPWOS') AUTHTYPE(IDPWOS) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(CONNAUTH)
DEFINE CHANNEL('LAMAXU.CHANNEL') CHLTYPE(SVRCONN) MCAUSER({User})
ALTER QMGR CHLAUTH(DISABLED)
OAM Configuration for Objects
The Lamaxu agent needs to be granted access to the following queue manager objects to enable it work.
setmqaut -m {qmgr} -t qmgr -p {User} +connect +dsp +inq
setmqaut -m {qmgr} -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -p {User} +put +dsp +inq
setmqaut -m {qmgr} -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -p {User} +get +dsp
setmqaut -m {qmgr} -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue –p {User} +get +dsp +inq
setmqaut -m {qmgr} -n "**" -t queue -p {User} +inq +dsp
setmqaut -m {qmgr} -n "**" -t topic -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t channel -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t authinfo -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t clntconn -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t comminfo -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t listener -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t namelist -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t process -p {User} +dsp
setmqaut -m {qmgr} -n "**" -t service -p {User} +dspOAM Configuration for Events, Accounting and Statistics
The Lamaxu agent needs to be granted access to the following queue manager event queues to enable it work.
setmqaut -m {qmgr} -n SYSTEM.ADMIN.CHANNEL.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.COMMAND.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.CONFIG.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.LOGGER.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.PERFM.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.PUBSUB.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.QMGR.EVENT -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.STATISTICS.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.ACCOUNTING.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.TRACE.ACTIVITY.QUEUE -t queue -p {User} +get +dsp +inq +browse
setmqaut -m {qmgr} -n SYSTEM.ADMIN.TRACE.ROUTE.QUEUE -t queue -p {User} +get +dsp +inq +browseZOS RACF Commands for Events, Accounting and Statistics
PE {QMGR}.RESET.* CLASS(MQCMDS) ID({USER}) ACCESS(CONTROL)
PE {QMGR}.QUEUE.* CLASS(MQADMIN) ID({USER}) ACCESS(CONTROL)
SETR GENERIC(MQCMDS) REFRESH
SETR GENERIC(MQADMIN) REF
SETR RACLIST(MQADMIN) REF
MQ command
REFRESH SECURITY