HOW TO: setmqaut commands to allow MQ Explorer remote administration of a MQ queue manager in UNIX

If the user name is not known, then it can be found in the AMQ8077 entry in the queue manager error logs.

Actions on the Unix remote host: host2

1. Create the required user on the remote machine

Login as user root.

Use the OS facilities to create the user, such as, AIX smit, HPUX sam or useradd, Solaris & Linux useradd.
The user name must be in lower case, that is, for user MYUSER on Windows create user myuser on UNIX.

2. Ensure that the listener is setup and running.

Login as an MQ administrator. The default is user: mqm

If you do not have an MQ Listener, you can define it as follows.
Notice that "control(qmgr)" is a very useful configuration because when the queue manager starts, it will automatically start the listener, and when the queue manager stops, then it will automatically stop the listener.

runmqsc MYQMGR
  define listener(LISTENER) trptype(tcp) control(qmgr) port(1444)
  start listener(LISTENER)
  end

3. Ensure the command server is running

The command server's process name is amqpcsea.

ps -ef | grep amqpcsea
mqm 29248 1 0 09:22:00 - 0:00 amqpcsea MYQMGR
 

4. Create the server-connection SVRCONN channel 

The channel name is SYSTEM.ADMIN.SVRCONN

runmqsc MYQMGR
  def chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) replace
  end

There are several options at this point

a. If the customer wants the required userID to have full privileges over all MQ objects, add the userID to the Unix group "mqm", again using the OS facilities to do so. In this case there is no further action required.
The command in Linux is: usermod -a -G mqm  userid 

b. If restricted access to MQ objects is required, further commands are necessary as below

5. Grant specific authority over MQ objects to the required userID

Issue these setmqaut commands to grant minimal authority to the userID.

The purpose of the following setmqaut commands is:
5.a. GENERAL: Grant authority to access the queue manager.
setmqaut -m MYQMGR -t qmgr -p myuser +connect +inq +dsp

5.b. MQ EXPLORER: Grant authority to the client channel to get the command server reply messages.
setmqaut -m MYQMGR -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p myuser +inq +browse +get +dsp

5.c. MQ EXPLORER: Grant authority to put messages onto the command server input queue.
setmqaut -m MYQMGR -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p myuser +inq +put +dsp

5.d. MQ EXPLORER: Grant authority to get the reply messages.
setmqaut -m MYQMGR -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p myuser +inq +browse +get +dsp +put

The user will need additional authorities to work with objects.
For example, fhe following command gives additional put/get authority for queue Q1.
  setmqaut -m MYQMGR -t q -n Q1 -p myuser +inq +browse +get +put +dsp

The following command gives only the authority to display the names of the SYSTEM.* queues, (otherwise, the user cannot view the non-system queues, such as Q1, via MQ Explorer):
  setmqaut -m MYQMGR -t q -n SYSTEM.** -p myuser +dsp