The WebSphere MQ Explorer GUI provides a user-friendly way to administer your queue managers.
With a little work, you can use it as a read-only ‘viewer’ instead. If you have some staff who don’t have authority to make changes to the WMQ network, but need them to be able to monitor what is happening, this would let them use WMQ Explorer to do it. If your staff without authority to make changes are the ones with less WebSphere MQ experience, then this might be a useful approach.
In this post I’ll walk through the steps required to set this up for a single queue manager, and highlight a couple of potential problems to watch out for.
Steps to carry out on the machine hosting the queue manager
- Create a user – making sure that the user is not a member of the mqm group
- Start a channel listener for the queue manager
- Create a server-connection (SVRCONN) channel on the queue manager – setting the MCAUSER attribute to the username defined in step 1
- Use setmqaut to specify which objects you want the user to be able to see
What permissions do you need to grant?
Firstly, you need permission to connect to the queue manager:
setmqaut -m YOUR_QUEUE_MANAGER -t qmgr -p YOUR_USER_NAME +connect +inq +dsp
Next, you need to give permission to the queues that WMQ Explorer will need:
setmqaut -m YOUR_QUEUE_MANAGER -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p YOUR_USER_NAME +get +browse +inq setmqaut -m YOUR_QUEUE_MANAGER -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p YOUR_USER_NAME +get +browse +inq +put setmqaut -m YOUR_QUEUE_MANAGER -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p YOUR_USER_NAME +inq +browse +get +dsp
setmqaut -m YOUR_QUEUE_MANAGER -t q -n 'AMQ.**' -p YOUR_USER_NAME +all setmqaut -m YOUR_QUEUE_MANAGER -t q -n 'MQAI.**' -p YOUR_USER_NAME +all
Edit (3-Mar-2009): Deleted the last two lines as they create a security hole – please see this post from T.Rob for more details on why
Then, you could give access to all objects of a certain type – such as being able to display all channels:
setmqaut -m YOUR_QUEUE_MANAGER -t channel -n '**' -p YOUR_USER_NAME +dsp
You might want to include additional permissions, such as the ability to browse messages on queues, or inquire their attributes:
setmqaut -m YOUR_QUEUE_MANAGER -t q -n '**' -p YOUR_USER_NAME +dsp +inq +browse
See the System Administration Guide section on setmqaut for more detail on the options available.
Steps to carry out on the WebSphere MQ Explorer machine
- Right-click on ‘Queue Managers’ and choose ‘Show Queue Manager’
- Click on the ‘Add’ button
- Enter the queue manager name and click ‘Next’
- Fill in the hostname of the machine hosting the queue manager, the TCP port number for the channel listener you started, and the name of the server-connection channel you created
- Click Finish
Things to watch out for
Note 1: The WebSphere MQ Explorer user will only see the objects which they have the authority to see. So it’s worth being aware that in such a setup, the Explorer is no longer showing a definitive view of the objects on the queue manager.
Note 2: Attempts to view an object which the user isn’t authorised to display can result in an authorisation event. See the Monitoring WebSphere MQ section on ‘Event Monitoring’ for more information. To summarise, if a queue manager has authorisation events (AUTHOREV) enabled, every attempt to access something which a user is not authorised to will cause an event message to be put to the SYSTEM.ADMIN.QMGR.EVENT queue. So, for example, if a user does not have access to display queues, then one authorisation event message will be put to SYSTEM.ADMIN.QMGR.EVENT for each queue they cannot access every time the Queues view in WMQ Explorer is refreshed. This could result in a lot of messages, so you may want to disable AUTHOREV or take steps to handle these messages.
Note 3: If you want to look at queues with WebSphere MQ Explorer in this way, you will need to have Refresh Pack 188.8.131.52 or greater applied. A bug in the Explorer prior to this meant that the failure to display SYSTEM.AUTH.DATA.QUEUE (a queue which it is not possible to give a non-mqm user access to) prevented any queues from being displayed. This is documented more fully in APAR IC49051.
Note 4: When I talk about the WMQ Explorer, I’m referring to the Eclipse-based Explorer that comes with WebSphere MQ version 6. I’ve not tried this on the v5.3 Windows WMQ Explorer.
Note 5: In the examples above, I’ve used the
-p option for setmqaut – specifying a specific user. I’ve done this for simplicity, but in practice using
-g to specify a group is often easier to manage. See the Sys Admin Guide for the full syntax.