Each WebSphere® MQ server definition includes the connection properties and authentication settings that service integration uses to connect to the associated WebSphere MQ queue manager or queue sharing group, either for resource discovery or for messaging.
The connection access path is determined by the host, port, transport chain and WebSphere MQ connection channel that you specify when you create the WebSphere MQ server definition. You get this information from the WebSphere MQ system administrator. The connection access path is also affected by the connection mode that you specify:
For more information about the mechanisms used to connect to WebSphere MQ for z/OS, see the WebSphere MQ for z/OS System Setup Guide.
The WebSphere MQ system administrator will probably want service integration to authenticate with WebSphere MQ whenever it connects. This happens whenever message data needs to be exchanged with a queue point or a mediation point that is assigned to a WebSphere MQ server bus member, and when the automated resource discovery process runs while you are configuring a WebSphere MQ server using the administrative console.
The WebSphere MQ system administrator might also want to set up two different user accounts on the WebSphere MQ system: one with only the privileges needed for resource discovery, and one with only the privileges needed for messaging. The WebSphere MQ server definition supports this requirement by allowing you to configure the MQ server with two authentication aliases, corresponding to these two accounts.
Authentication aliases are restricted to a maximum 12 characters in length, because the user identifier that WebSphere MQ uses for checking the identity of new connections also has this restriction. If authentication aliases exceed 12 characters in length, they are truncated.
If you are using Resource Access Control Facility (RACF®) as the security manager on your WebSphere MQ for z/OS system, and using bindings transport mode, you must specify in uppercase characters the user names and passwords for authentication aliases. If you are using RACF and client transport mode, you can specify the user names and passwords in either upper or lower case characters.
Where an authentication alias exists, the user name and password it contains are examined by WebSphere MQ using a WebSphere MQ channel security exit. WebSphere MQ for z/OS provides a sample security exit CSQ4BCX3, which demonstrates how you can perform authentication based on this information.
When messages are sent to WebSphere MQ for resource discovery, the MQPMO_SET_IDENTITY_CONTEXT option is used. The credentials used to establish a messaging connection must have authority to assert this.
The connection mode you use for connecting to WebSphere MQ affects which credentials are used:
When you add the WebSphere MQ server definition to a service integration bus to make it a bus member, you can override the server settings and authentication alias used for messaging, with the connection settings and authentication alias used by the bus. This option allows you to create a bus-specific instance of that server and is useful in a multiple bus configuration. Typically you would do this to differentiate connections from different buses and, potentially, to apply different security settings.