Security settings for MQ agent resources

If you have enabled security for the queue manager, you must configure certain security settings in the queue manager for the HCL DevOps Test Integrations and APIs (Test Integrations and APIs) MQ agent resources to access the Test Integrations and APIs intercept queue.

Recording authorities

To successfully do recording, stubbing and topology discovery of MQ resources when using the Test Integrations and APIs MQ API agent, the following MQ authorities must be granted to the following users:
  • Test Integrations and APIs user. The MQ Username as configured in the MQ physical transport within Test Integrations and APIs.
  • Putting application user. The MQ Username used by applications when performing an MQ PUT to the queues being recorded, stubbed, or discovered.
Note: Before changing the queue manager authorities, use the dmpmqaut command to back up the existing queue manager authorities.
Table 1. MQ recording authorities for the Test Integrations and APIs userThe following permissions are required for the user to record the messages in the queue manager.
Object Permissions
Queue manager:
  • queue_manager_name
  • connect
  • inquire
  • display
Namelist:
  • **
  • create
Note: This queue manager authority is granting the create permission to the Namelist @class object, allowing the user the permission to create namelists.
Namelist:
  • SYSTEM.DEFAULT.NAMELIST
  • display
Namelist:
  • com.greenhat.intercept*
  • display
  • change
Queue:
  • **
  • create
Queue:
  • SYSTEM.DEFAULT.LOCAL.QUEUE
  • display
Queue:
  • SYSTEM.DEFAULT.MODEL.QUEUE
  • transport_recording_model_queue_name
Note: The object is configured in the Model Queue field on the Recording tab of the MQ physical transport.
  • get
  • display
Queue:
  • SYSTEM.ADMIN.COMMAND.QUEUE
  • inquire
  • put
Table 2. MQ recording authorities for the Putting application userThe following permissions are required for the Putting application user to record the messages in the queue manager.
Object Permissions
Queue manager:
  • queue_manager_name
  • connect
  • inquire
  • setall
Namelist:
  • com.greenhat.intercept*
  • inquire
Queue:
  • SYSTEM.DEFAULT.MODEL.QUEUE
  • transport_recording_model_ queue _name
Note: The object is configured in the Model Queue field on the Recording tab of the MQ physical transport.
  • put
  • setall
A sample script SetExitRecordingAuthorities.bat or SetExitRecordingAuthorities.sh that configures the required permissions in the queue manager is available inside a scripts folder of a .zip file in the HCL DevOps Test Virtualization Control Panel (Test Virtualization Control Panel) installation directory (for example, <Server installation directory>\tools\IBM\WebSphereMQ\dist) in the .zip file named IBMWebSphereMQdist.zip.

The sample scripts containing the distributed WebSphere® MQ API agent .zip file, can be downloaded from Test Virtualization Control Panel.

Topology discovery authorities

To enable Test Integrations and APIs to perform discovery for the queue manager, the following permissions must be enabled in the queue manager.
Note: Before changing the queue manager authorities, use the dmpmqaut command to back up the existing queue manager authorities.
Table 3. MQ discovery authorities for the Test Integrations and APIs userThe following permissions are required for the user to observe the messages in the queue manager.
Object Permissions
Queue manager:
  • queue_manager_name
  • connect
  • inquire
  • display
Namelist:
  • **
  • create
Note: This queue manager authority is granting the create permission to the Namelist @class object, allowing the user the permission to create namelists.
Namelist:
  • SYSTEM.DEFAULT.NAMELIST
  • display
Namelist:
  • COM.GREENHAT.OBSERVATION*
  • display
  • inquire
Queue:
  • **
  • create
Queue:
  • SYSTEM.DEFAULT.LOCAL.QUEUE
  • display
Queue:
  • SYSTEM.DEFAULT.MODEL.QUEUE
  • transport_observation_model_ queue _name
Note: The object is configured in the Advanced tab of the MQ observation point.
  • get
  • display
Queue:
  • SYSTEM.ADMIN.COMMAND.QUEUE
  • inquire
  • put
Table 4. MQ discovery authorities for the Putting application userThe following permissions are required for the Putting application user to observe the messages in the queue manager.
Object Permissions
Queue manager:
  • queue_manager_name
  • connect
  • inquire
  • setall
Namelist:
  • COM.GREENHAT.OBSERVATION*
  • inquire
Queue:
  • SYSTEM.DEFAULT.MODEL.QUEUE
  • transport_observation_model_ queue _name
Note: The object is configured in the Advanced tab of the MQ observation point.
  • put
  • setall
A sample script SetExitDiscoveryAuthorities.bat or SetExitDiscoveryAuthorities.sh that configures the required permissions in the queue manager is available inside a scripts folder of a .zip file in the Test Virtualization Control Panel installation directory (for example, <Contol_panel_installation_directory>\tools\IBM\WebSphereMQ\dist) in the .zip file named IBMWebSphereMQdist.zip.

The sample scripts containing the distributed WebSphere® MQ API agent .zip file, can be downloaded from Test Virtualization Control Panel.

Sift and Pass-through with dynamic queue authorities

To enable sift and pass-through capability in the queue manager, the following permissions must be enabled in the queue manager.
Note: Before changing the queue manager authorities, use the dmpmqaut command to back up the existing queue manager authorities.
Table 5. Sift and Pass-through with dynamic queue authorities for the Test Integrations and APIs userThe following permissions are required for the user to enable the sift and pass-through option in the queue manager.
Object Permissions
Queue manager:
  • queue_manager_name
  • connect
  • inquire
  • display
  • setall
Namelist:
  • **
  • create
Note: This queue manager authority is granting the create permission to the Namelist @class object, allowing the user the permission to create namelists.
Namelist:
  • rit.divert.rules*
  • change
  • inquire
  • display
Namelist:
  • SYSTEM.DEFAULT.NAMELIST
  • display
Queue:
  • **
  • create
Queue:
  • SYSTEM.DEFAULT.LOCAL.QUEUE
  • display
Queue:
  • stubbed_queue_name
  • put
  • setall
Queue:
  • reply_queue_name
  • put
Queue:
  • SYSTEM.DURABLE.MODEL.QUEUE
  • diverted_queue_model_name
Note: The object is configured on the Stubbing tab of the MQ physical transport with Use Sift & Pass Through with Dynamic Queues option. This corresponds to the model queue that is configured in the Diverted Queue section.
  • get
  • display
Queue:
  • SYSTEM.DEFAULT.MODEL.QUEUE
  • stub_queue_model_name
Note: The object is configured on the Stubbing tab of the MQ physical transport with Use Sift & Pass Through with Dynamic Queues option. This corresponds to the model queue that is configured in the Stub Queue section.
  • get
  • display
Note: Permission required on the SYSTEM.DEFAULT.MODEL.QUEUE for specifying the custom queue.
Queue:
  • SYSTEM.ADMIN.COMMAND.QUEUE
  • inquire
  • put
Table 6. Sift and Pass-through with dynamic queue authorities for the Putting application userThe following permissions are required for the Putting application user to enable the sift and pass-through option in the queue manager.
Object Permissions
Queue manager:queue_manager_name
  • connect
  • inquire
Namelist:
  • rit.divert.rules*
  • inquire
Queue:
  • SYSTEM.DURABLE.MODEL.QUEUE
  • diverted_queue_model_name
Note: The object is configured on the Stubbing tab of the MQ physical transport with Use Sift & Pass Through with Dynamic Queues option. This corresponds to the model queue that is configured in the Diverted Queue section.
  • put
  • get
Queue:
  • SYSTEM.DEFAULT.MODEL.QUEUE
  • stub_queue_model_name
Note: The object is configured on the Stubbing tab of the MQ physical transport with Use Sift & Pass Through with Dynamic Queues option. This corresponds to the model queue that is configured in the Stub Queue section.
  • put
  • setall
A sample script SetSiftAndPassThroughWithDynamicQueuesAuthorities.bat or SetSiftAndPassThroughWithDynamicQueuesAuthorities.sh that configures the required permissions in the queue manager is available inside a scripts folder of a .zip file in the Test Virtualization Control Panel installation directory (for example, <Server installation directory>\tools\IBM\WebSphereMQ\dist) in the .zip file named IBMWebSphereMQdist.zip.

The sample scripts containing the distributed WebSphere® MQ API agent .zip file, can be downloaded from Test Virtualization Control Panel.

Sift and Pass-through with fixed queue authorities

To enable sift and pass-through capability in the queue manager, the following permissions must be enabled in the queue manager.
Note: Before changing the queue manager authorities, use the dmpmqaut command to back up the existing queue manager authorities.
Table 7. Sift and Pass-through with fixed queue authorities for the Test Integrations and APIs userThe following permissions are required for the user to enable the sift and pass-through option in the queue manager.
Object Permissions
Queue manager:
  • queue_manager_name
  • connect
  • inquire
  • display
  • setall
Namelist:
  • **
  • create
Note: This queue manager authority is granting the create permission to the Namelist @class object, allowing the user the permission to create namelists.
Namelist:
  • rit.divert.rules*
  • change
  • inquire
  • display
Namelist:
  • SYSTEM.DEFAULT.NAMELIST
  • display
Queue:
  • **
  • create
Queue:
  • SYSTEM.DEFAULT.LOCAL.QUEUE
  • display
Queue:
  • stubbed_queue_name
  • put
  • setall
Queue:
  • stubbed_queue_namestubbed_queue_suffix
Note: The suffix is set in the Stub Queue section on the Stubbing panel of the MQ physical transport with the fixed queue option. For example: REQUEST.STUB
  • get
Queue:
  • stubbed_queue_namedivert_queue_suffix
Note: The suffix is set in the Divert Queue section on the Stubbing panel of the MQ physical transport with the fixed queue option. For example: REQUEST.DIVERT
  • get
  • put
Queue:
  • reply_queue_name
  • put
Queue:
  • SYSTEM.DEFAULT.MODEL.QUEUE
Note: Object is configured on the Stubbing tab of the MQ physical transport with Use Sift & Pass Through with Fixed Queues option. This corresponds to the model queue that is configured in the Stub Queue section.
  • get
  • display
Queue:
  • SYSTEM.ADMIN.COMMAND.QUEUE
  • inquire
  • put
Table 8. Sift and Pass-through with fixed queue authorities for the Putting application userThe following permissions are required for the Putting application user to enable the sift and pass-through option in the queue manager.
Object Permissions
Queue manager:
  • queue_manager_name
  • connect
  • inquire
Queue:
  • stubbed_queue_namestubbed_queue_suffix
Note: The suffix is set in the Stub Queue section on the Stubbing panel of the MQ physical transport with the fixed queue option. For example: REQUEST.STUB
  • put
  • setall
Queue:
  • stubbed_queue_namedivert_queue_suffix
Note: The suffix is set in the Divert Queue section on the Stubbing panel of the MQ physical transport with the fixed queue option. For example: REQUEST.DIVERT
  • get
  • put
Namelist:
  • rit.divert.rules*
  • inquire
A sample script SetSiftAndPassThroughWithFixedQueuesAuthorities.bat or SetSiftAndPassThroughWithFixedQueuesAuthorities.sh that configures the required permissions in the queue manager is available inside a scripts folder of a .zip file in the Test Virtualization Control Panel installation directory (for example, <Server installation directory>\tools\IBM\WebSphereMQ\dist) in the .zip file named IBMWebSphereMQdist.zip.

The sample scripts containing the distributed WebSphere® MQ API agent .zip file, can be downloaded from Test Virtualization Control Panel.