Background
It is desirable that developers and testers have access to MQ objects information like queue depth, last put time, last get time as well as settings on the object.
It is tempting to provide this access using the default stated channel by MQExplorer and using the mqm access.
There are several reasons why this is not a good idea, the most obvious that changes can inadvertently be made to MQ objects and that can case use issues - especially in a production environment.
Hence I will show how a safe display only access can be provided on Linux Queue Managers (QMs) - available to anyone using MQExplorer, in all environments.
Definitions
The following definitions need be made on each Queue Manager and I will explain each part subsequently.
Note that some values like port number and channel name can be different
* define specific listener for remote display access
def lstr(tcp1490) trptype(tcp) port(1490)
start lstr(tcp1490)
* define the channel to be used for remote display access
def chl(display_only) chltype(svrconn) mcauser('mqdisp') maxinst(20)
set chlauth(display_only) type(addressmap) address('*') mcauser('mqdisp')
* provide needed access for queues used by MQExplorer commands
set authrec profile(system.admin.command.queue) objtype(queue) principal('mqdisp') authadd(dsp,inq,put)
set authrec profile(system.mqexplorer.reply.model) objtype(queue) principal('mqdisp') authadd(dsp,inq,get)
* provide needed access to display MQ objects
set authrec objtype(qmgr) principal('mqdisp') authadd(connect,dsp,inq)
set authrec profile('**') objtype(channel) principal('mqdisp') authadd(dsp)
set authrec profile('**') objtype(clntconn) principal('mqdisp') authadd(dsp)
set authrec profile('**') objtype(listener) principal('mqdisp') authadd(dsp)
set authrec profile('**') objtype(namelist) principal('mqdisp') authadd(dsp)
set authrec profile('**') objtype(process) principal('mqdisp') authadd(dsp)
set authrec profile('**') objtype(queue) principal('mqdisp') authadd(dsp,inq)
set authrec profile('**') objtype(service) principal('mqdisp') authadd(dsp)
set authrec profile('**') objtype(topic) principal('mqdisp') authadd(dsp)
Listener
I recommend to provide a separate listener (and thus port) to be used for remote access.
In this case port 1490 was used, another value can be used and the port should be unique per QM - especially when multiple QMs are running on the same server.
Note that the port need to be opened on local firewall by root and firewall need to be opened between the computer where MQExplorer is running and the Linux server.
In a production environment then connection to production Linux servers would normally only be allowed from a jump server, so MQExplorer need to be installed on the jump server.
Channel
The channel should have limit on how many instances can be started.
The reason is that I was engaged in troubleshooting why messages was not sent to a QM and it turned out that MQ clients had used all available channel instances.
Hence the use of MQExplorer should be limited to avoid such a situation. 20 instances may not be sufficient and higher value can be used. If so then make sure to extent the total number of channel instances on the QM.
The channel name can be different from DISPLAY_ONLY
Queues used by MQExplorer
As MQExplorer uses commands to retrieve MQ object lists and specific MQ object details, then sufficient access need to be provided to the queues used for command processing.
Display access to MQ objects
The user mqdisp (can be another name) need to be created by root.
In my example I provided display access to all objects of specific types.
Depending on the naming standard used then the access could be restricted to MQ objects starting with specific prefix.
I have deliberately not provided access to authrecs as that could be considered a security exposure.