Service stanza of the qm.ini file

Note: There are significant implications to changing installable services and their components. For this reason, the installable services are read-only in IBM® MQ Explorer.

For each component within a service, you must also specify the name and path of the module containing the code for that component. Use the ServiceComponent stanza for this.

The Service and ServiceComponent stanzas can occur in any order and the stanza keys under them can also occur in any order. For either of these stanzas, all the stanza keys must be present. If a stanza key is duplicated, the last one is used.

At startup time, the queue manager processes each service component entry in the configuration file in turn. It then loads the specified component module, invoking the entry point of the component (which must be the entry point for initialization of the component), passing it a configuration handle.

Name = AuthorizationService (default) |NameService

The name of the required service.

AuthorizationService

For IBM MQ, the AuthorizationService component is known as the object authority manager, or OAM. The Service stanza and its associated ServiceComponent stanza are added automatically when the queue manager is created, but can be overridden by the MQSNOAUT environment variable. Add other ServiceComponent stanzas manually.

The following examples of stanzas in the qm.ini file define two authorization service components on IBM MQ for AIX®. MQ_INSTALLATION_PATH represents the high-level directory in which IBM MQ is installed.

 Service:
    Name=AuthorizationService
    EntryPoints=13
 
 ServiceComponent:
    Service=AuthorizationService
    Name=MQSeries.UNIX.auth.service
Module=MQ_INSTALLATION_PATH/lib/amqzfu
    ComponentDataSize=0
 
 ServiceComponent:
    Service=AuthorizationService
    Name=user.defined.authorization.service
    Module=/usr/bin/udas01
    ComponentDataSize=96

The ServiceComponent stanza MQSeries.UNIX.auth.service defines the default authorization service component, the OAM. If you remove this stanza and restart the queue manager, the OAM is disabled and no authorization checks are made.

You can also add the SecurityPolicy attribute using the IBM MQ services. The SecurityPolicy attribute applies only if the service specified on the Service stanza is the authorization service, that is, the default OAM. The SecurityPolicy attribute allows you to specify the security policy for each queue manager. The possible values are:

Default

Specify Default if you want the default security policy to take effect. If a Windows security identifier (NT SID) is not passed to the OAM for a particular user ID, an attempt is made to obtain the appropriate SID by searching the relevant security databases.

NTSIDsRequired

Requires that an NT SID is passed to the OAM when performing security checks.

The ServiceComponent stanza MQSeries.WindowsNT.auth.service defines the default authorization service component, the OAM. If you remove this stanza and restart the queue manager, the OAM is disabled and no authorization checks are made.

NameService

No name service is provided by default. If you require a name service, you must add the NameService stanza manually.

The following examples of AIX and Linux® qm.ini file stanzas for the name service specify a name service component provided by the (fictitious) ABC company.

# Stanza for name service
 Service:
    Name=NameService
    EntryPoints=5
 
# Stanza for name service component, provided by ABC
 ServiceComponent:
    Service=NameService
    Name=ABC.Name.Service
    Module=/usr/lib/abcname
    ComponentDataSize=1024

Note: On Windows systems, NameService stanza information is stored in the Registry.

EntryPoints= number-of-entries

The number of entry points defined for the service.

This includes the initialization and termination entry points.

SecurityPolicy= Default|NTSIDsRequired

On Windows systems, the SecurityPolicy attribute applies only if the service specified is the default authorization service, that is, the OAM. The SecurityPolicy attribute allows you to specify the security policy for each queue manager.

The possible values are:

Default

Use the default security policy to take effect. If a Windows security identifier (NT SID) is not passed to the OAM for a particular user ID, an attempt is made to obtain the appropriate SID by searching the relevant security databases.

NTSIDsRequired

Pass an NT SID to the OAM when performing security checks.

For more information, see Windows security identifiers (SIDs).

See also Configuring authorization service stanzas: Windows systems.

SecurityPolicy=user|group|UserExternal|default

On AIX and Linux systems, the value specifies whether the queue manager uses user-based or group-based authorization. Values are not case sensitive.

The value can be one of the following values:

group

The queue manager uses group-based authorization. Authority to access a resource is granted to a group.

A user receives the aggregate of all the authorities that are granted to each group that it belongs to.

User IDs and groups must be defined to the local operating system.

user

The queue manager uses user-based authorization. Authority to access a resource can be granted to a group, or a specific user ID.

A user receives the aggregate of the following authorities:

• Authorities that are granted to the specific user.
• Authorities that are granted to each group that the user belongs to.

User IDs and groups must be defined to the local operating system.

UserExternal

The queue manager uses user-based authorization. However, authorities can be granted to user IDs that are not known to the local operating system.

Authority to access a resource can be granted to a group, or a specific user ID.

A user receives the aggregate of the following authorities:

• Authorities that are granted to the specific user.
• Authorities that are granted to each group that the user belongs to.

If a user is not known to the local operating system, it is considered to belong to only the nobody group. For more information about groups, see Principals and groups on AIX, Linux, and Windows. The user ID must be up to 12 characters long, and must conform to the Rules for naming IBM MQ objects.

You can modify existing queue managers to use this additional option without losing any current configuration.

This is the default value if the AuthToken stanza is specified.

default

The queue manager uses group-based authorization. The behavior is the same as for the group option.

This is the default value if the AuthToken stanza is not specified.

Restart the queue manager for changes to the attribute value to become effective.

Note: From IBM MQ 9.3.4, if the AuthToken stanza is specified, the effective value of the SecurityPolicy attribute of the Service stanza is set to UserExternal. Token authentication is not available if SecurityPolicy is explicitly set to Group in the Service stanza. If SecurityPolicy is set to Group, remove the SecurityPolicy attribute from the Service stanza, then restart the queue manager. For more information, see AuthToken stanza of the qm.ini file.

SharedBindingsUserId= user-type

The SharedBindingsUserId attribute applies only if the service specified is the default authorization service, that is, the OAM. The SharedBindingsUserId attribute is used with relation to shared bindings only. This value allows you to specify whether the UserIdentifier field in the IdentityContext structure, from the MQZ_AUTHENTICATE_USER function, is the effective user ID or the real user ID.

For information on the MQZ_AUTHENTICATE_USER function, see MQZ_AUTHENTICATE_USER - Authenticate user.

The possible values are:

Default

The value of the UserIdentifier field is set as the real user ID.

Real

The value of the UserIdentifier field is set as the real user ID.

Effective

The value of the UserIdentifier field is set as the effective user ID.

FastpathBindingsUserId= user-type

The FastpathBindingsUserId attribute applies only if the service specified is the default authorization service, that is, the OAM. The FastpathBindingsUserId attribute is used with relation to fastpath bindings only. This value allows you to specify whether the UserIdentifier field in the IdentityContext structure, from the MQZ_AUTHENTICATE_USER function, is the effective user ID or the real user ID.

For information on the MQZ_AUTHENTICATE_USER function, see MQZ_AUTHENTICATE_USER - Authenticate user.

The possible values are:

Default

The value of the UserIdentifier field is set as the real user ID.

Real

The value of the UserIdentifier field is set as the real user ID.

Effective

The value of the UserIdentifier field is set as the effective user ID.

IsolatedBindingsUserId= user-type

The IsolatedBindingsUserId attribute applies only if the service specified is the default authorization service, that is, the OAM. The IsolatedBindingsUserId attribute is used with relation to isolated bindings only. This value allows you to specify whether the UserIdentifier field in the IdentityContext structure, from the MQZ_AUTHENTICATE_USER function, is the effective user ID or the real user ID.

For information on the MQZ_AUTHENTICATE_USER function, see MQZ_AUTHENTICATE_USER - Authenticate user.

The possible values are:

Default

The value of the UserIdentifier field is set as the effective user ID.

Real

The value of the UserIdentifier field is set as the real user ID.

Effective

The value of the UserIdentifier field is set as the effective user ID.

For more information about installable services and components, see Installable services and components for AIX, Linux, and Windows.

For more information about security services in general, see Setting up security on AIX and Linux systems.