BEA Logo BEA MessageQ Release 5.0

  Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy


   MessageQ Doc Home   |   Configuration Guide for OpenVMS   |   Previous Topic   |   Next Topic   |   Contents   |   Index

BEA MessageQ Security


This chapter describes the BEA MessageQ for OpenVMS security features that allow system managers to:

Rights Identifiers Used By BEA MessageQ

There are two rights identifiers used by BEA MessageQ. The identifiers are created during installation by the kit installation procedure if they do not already exist.

In order to run the loader (DMQ$EXE:DMQ$LOADER), the user must have either VMS OPER privileges or be granted the DMQ$MANAGER rights identifier.

The following actions require either OPER privileges or the DMQ$MANAGER rights identifier:

The other identifier is DMQ$OPERATOR. The following actions require either OPER privileges or the DMQ$OPERATOR rights identifier:

See Defining Access Control on Queues for more information on the DMQ$OPERATOR rights identifier.

Defining Access Control on Queues

To control queue access, the system manager must have an account that holds a DMQ$OPERATOR rights identifier or the VMS OPER privilege. The system manager can limit which processes are allowed to read from a queue by setting the flag in the Check ACL column of the Queue Configuration Table in the DMQ$INIT file to Y. When the flag is set to Y, BEA MessageQ checks a zero-length access control file called DMQ$ACCESS:DMQ$bbbbgggggqqqqq.DAT, where:


is the 4-digit bus ID


is the 5-digit group ID


is the 5-digit queue number

To read from a queue, a process requires read access to the queue's access control file. BEA MessageQ checks access control by determining if the process can perform an OPEN/READ operation on the DMQ$ACCESS:DMQ$bbbbgggggqqqqq.DAT file.

To set up access control for a queue, you must create the access control file before processes can access its associated queue. Use the CREATE command at DCL level to create the file and use the SET ACL command to give the user account read access to the file. The logical DMQ$ACCESS is specific to each group and is defined in DMQ$USER:DMQ$BOOT.COM. The default value of DMQ$ACCESS is the BEA MessageQ group-specific directory referred to by the logical DMQ$USER.

For example, use the following commands to give user identification code (UIC) [345,333] access to queue 4, on group 1, bus 15:

$ CREATE DMQ$ACCESS:DMQ$00150000100004.DAT 
$ Ctrl/Z

_$ DMQ$ACCESS:DMQ$0015000010004.DAT

$ SET PROT=(S,O,G,W) DMQ$ACCESS:DMQ$00150000100004.DAT

Securing Readout of Permanent Queues

If Check ACL is set to Y on a primary or secondary message queue, BEA MessageQ validates whether a process is allowed to read from a queue when the process first attaches to the queue. If the queue is a multireader queue (MRQ), BEA MessageQ validates access at the first attempt to read from the queue.

Securing the Creation of Temporary Queues

If Check ACL is set to Y on the TEMPORARY_Q queue and the queue number is 0, then only those processes that can read DMQ$ACCESS:DMQ$bbbbggggg00000.DAT) are allowed to create temporary queues. This protection works for processes that call the pams_attach_q function. However, securing access to temporary queues results in the disabling of the message interface to the COM Server to create temporary secondary queues.

Setting the Global Section Protection Mask

You can configure a protection mask to restrict access to BEA MessageQ global sections. When the protection mask is configured, an access control list (ACL) can be applied to control individual user access. All BEA MessageQ global sections use one protection mask and, therefore, each requires an ACL to be set after the COM Server is booted.

BEA MessageQ uses system global sections, which are owned by UIC [1,4]. If the owner has not been granted access, the COM Server will be unable to initialize the global sections.

Defining Protection Mask Logical Name

The logical name controlling the global section protection mask definition is called DMQ$SET_GBLSEC_PROT. Define the logical name using the following command:



Table 13-1 shows typical combinations of protection settings.

Table 13-1 Sample Settings for DMQ$SET_GBLSEC_PROT




Default; unrestricted access to global sections


Access only for BEA MessageQ Server processes and ACLs


Access only through ACLs

Setting ACLs for Global Sections

When you set the ACL for the global sections, you must apply the ACL to all five global sections shown in Table 13-2. Set an ACL for a global section (called, in this case, DMQ$MCS_C_bbbb_ggggg) as follows:

_$ DMQ$MCS_C_bbbb_ggggg

Note: You must set the ACL after the COM Server is running. For example, you can add the ACL command to DMQ$BOOT.COM after the line that executes DMQ$COM_START.COM.

Table 13-2 shows the names for the five global sections where bbbb is the 4-digit bus ID and ggggg is the 5-digit group ID.

Table 13-2 BEA MessageQGlobal Section Names

Section Name



Control section


Small buffer pool section


Medium buffer pool section


Large buffer pool section


Group Name Table (GNT) section


Cross-group control section


Multireader queue (MRQ) control section

Controlling Network Access to Queuing Group

The Link Drivers can limit incoming cross-group connections to the nodes found in the cross-group connection table. The incoming cross-group connections are controlled by the XGROUP_VERIFY parameter in the Profile section of the DMQ$INIT.TXT file (see Configuring Cross-group Connections, for more information).

When XGROUP_VERIFY is enabled, the cross-group connection table functions use an ACL to validate all connections against a known list of valid nodes and BEA MessageQ group IDs. If a connection fails to match exactly, that connection is dropped and a security match failure event is logged.