Perhaps my most long awaited and favourite feature recently introduced to IBM MQ (v9.2.1 CD or v9.3.0 LTS) is the UserExternal group or user authorization setting. This can be set when creating a new queue manager or for existing queue managers by updating the qm.ini file.

-oa group|user|UserExternal

This largely eliminates the need to create O/S users and groups while securing MQ channels using the MCAUSER user id.

By exploiting this feature, we’ve not only eliminated the need to contact security to create our users and groups, we’ve considerably simplified our queue manager creation process.

Create a new queue manager

To enable this feature while creating a queue manager simply pass the -oa parameter to the command.

crtmqm -oa UserExternal qmgr1

Now view the qm.ini file to see the new setting.

cd /var/mqm/qmgrs/qmgr1
cat qm.ini

If you check the Service section, you’ll see the new setting.

Service:
   Name=AuthorizationService
   EntryPoints=14
   SecurityPolicy=UserExternal

To enable this setting on an existing queue manager, you can stop the queue manager, add this new value and re-start the queue manager.

Of course, it’s not as simple as that, as you may already have many security settings using locally defined users or groups. These may need adjusting.