0

On AIX and Linux , MQ MFT agent files are all owned by mqm, and subsequently the agent processes run as mqm in the process list. In addition, when the agent connects to an MQ Manager, the connection user is mqm. Due to security - I would like to have a different user appear in the connections to the MQ manager. Is there a way to run an MQ MFT agent as the mqm user, but the outbound connections to the MQ Manager are done as a different user, for example mqmftuser001, rather than mqm?

jc303
  • 232
  • 2
  • 8
  • 1
    _On AIX and Linux , MQ MFT agent files are all owned by mqm, and subsequently the agent processes run as mqm_ It doesn't depend on the file owner, it depends on the user that started the process. – Lorinczy Zsigmond Apr 19 '21 at 14:04
  • 1
    You can use MQMFTCredentials.xml file to map a local user to mquserid for connecting to agent queue manager. For example - . The file will need to be placed in users home directory and only logged in user must have permissions on the file and all other users should have no access. – Shashi Apr 19 '21 at 14:14
  • @Shashi I did see this file in the samples folder but where is this file actually supposed to be and how is it read when the agent starts up? Also, when you say "The file will need to be placed in users home directory and only logged in user must have permissions on the file and all other users should have no access" do you mean, this should be in the home folder of "localuser" as in your example? How does MQ know to read it from that directory? So can I keep the main /var/mqm folder and all it's files, but create a new user with a home folder that only contains that MQMFTCredentials.xml ? – jc303 Apr 19 '21 at 14:56
  • When an MFT agent starts, by default it looks into logged-in users home directory for MQMFTCredentials.xml file. Users home directory is a secure directory. Hence the credentials file can be placed there. – Shashi Apr 19 '21 at 15:47

1 Answers1

1

You can use MQMFTCredentials.xml file to map a local user to mquserid for connecting to agent queue manager. For example -

 <tns:qmgr name="MFTQM" user="localuser" mqUserId="mqagentuser" mqPassword="Password" useMQCSPAuthentication="true"/>.

The file can need to be placed in a secure folder where no user other than the one that starts the agent has access permissions. Generally it will be users home directory, $HOME.

You can override the default credential path by setting the agent property agentQMgrAuthenticationCredentialsFile. The path specified for the property must be secure as mentioned before.

Shashi
  • 14,980
  • 2
  • 33
  • 52
  • Does anything special need to be applied to the MQ manager in this instance, or is it simply defining an mqaut user that can access that channel and queue manager – jc303 Apr 20 '21 at 11:59
  • You will have define appropriate authorities on the queue manager for that user to connect to queue manager, access MFT objects - https://www.ibm.com/docs/en/ibm-mq/9.2?topic=resources-restricting-group-authorities-mft-specific – Shashi Apr 20 '21 at 12:11
  • I added the parameter agentQMgrAuthenticationCredentialsFile in agent.properties and I put the file MQMFTCredentials.xml in the /var/mqm folder, however how can I see if the correct user is being presented to the queue manager? – jc303 May 07 '21 at 14:47