Clustered topic security extends single-queue-manager pub/sub ACL design to every member that participates in IBM MQ cluster pub/sub. TOPTYPE(CLUS) topics publish routing information to full and partial repositories; SUBSCOPE(ALL) subscriptions advertise interest across the cluster; publications may traverse CLUSSDR and CLUSRCVR channels to remote destination queues. A gap on one member—missing +sub for the analytics service on QM_DUBLIN while London is correct—looks like an application bug but is a security configuration defect. This tutorial explains consistent ACL rollout across cluster members, protecting cluster channels, repository reconnaissance risk, data residency with SUBSCOPE, separating publisher-only and subscriber-only sites, auditing DISPLAY CLUSQMGR and SUB on each node, and incident response when a compromised member could publish cluster-wide events.
| Surface | What is protected | Primary control |
|---|---|---|
| Topic ACL per QM | PUB and SUB on branches | setmqaut replicated per member |
| DEST queue ACL | Message copies at each site | +get per local consumer ID |
| Cluster channels | Wire metadata and messages | TLS, CHLAUTH, peer QMGR names |
| CLUS topic admin | Routing definitions | Restrict +crt/+chg on TOPIC |
| Repository | Topology visibility | Limit cluster membership |
Maintain one Git repository of setmqaut scripts parameterized by queue manager name. For role MQ.RETAIL.CONSUMER, grant identical +sub on prod/retail/# on QM_LON, QM_PAR, QM_NYC. Drift detection: nightly job runs dspmqaut on all members and diffs output. New cluster members receive full ACL baseline before joining production cluster. Never clone a queue manager object set without cloning topic ACLs.
1234567* On each member QM_LON, QM_PAR, QM_NYC - same logical grants setmqaut -m QM_LON -t topic -n 'prod/events/#' -p MQ.EVENTS.PUB +pub setmqaut -m QM_LON -t topic -n 'prod/events/#' -p MQ.EVENTS.SUB +sub setmqaut -m QM_PAR -t topic -n 'prod/events/#' -p MQ.EVENTS.PUB +pub setmqaut -m QM_PAR -t topic -n 'prod/events/#' -p MQ.EVENTS.SUB +sub DEFINE TOPIC('PROD.EVENTS.CLUS') TOPSTR('prod/events') TOPTYPE(CLUS) + CLUSTER('CORP') PUBSCOPE(ALL) SUBSCOPE(ALL)
Some data centers publish but must not subscribe to foreign events—grant PUB without SUB on sensitive outbound sites. Conversely DR sites may subscribe without publish. Document matrix per queue manager: PUB allowed branches, SUB allowed branches, DEST queue prefixes permitted. Prevents a compromised publisher-only site from registering shadow subs if SUB is denied cluster-wide on that QM.
Regulations may forbid subscription interest leaving a region. Use SUBSCOPE(QMGR) on EU queue managers even when cluster topics use PUBSCOPE(ALL)—understand IBM routing outcomes for your release; test that publications do not copy to forbidden DEST. Architectural alternative: separate clusters per jurisdiction with controlled bridge queue managers.
Cluster pub/sub is a train line with multiple stations. Each station needs its own ticket check (ACL) for who may send packages (PUB) and who may receive copies (SUB). Securing only the first station does not protect the last.
When many schools share one announcement system, every school needs the same rules about who may talk and who may listen—not just your school.
Design ACL matrix for three QMs: pub-only, sub-only, both.
Why diff dspmqaut across cluster members weekly?
List five steps if a cluster member is compromised.
1. Clustered topic security requires ACLs on:
2. Repository stores:
3. SUBSCOPE ALL increases:
4. Cluster channels need: