FAQ - About PCF Commands and Security
Common questions about IBM MQ PCF (Programmable Command Format) commands, SYSTEM.ADMIN.COMMAND.QUEUE permissions, temporary queues, and security architecture.
What are PCF Commands?
PCF (Programmable Command Format) is IBM's official administrative interface for programmatic access to IBM MQ Queue Managers. PCF commands allow applications to:
- Query object properties (queues, channels, topics, listeners)
- Execute administrative operations (start/stop channels, purge queues)
- Retrieve metrics (message counts, queue depths, channel status)
PCF commands are used by all IBM MQ management tools, including:
- IBM MQ Explorer
- IBM MQ Console (Web UI)
- IBM MQ REST API
- Nodinite IBM MQ Monitoring Agent
- Custom monitoring scripts and applications
How Do PCF Commands Work?
(User: mqadmin)"] end subgraph "IBM MQ Queue Manager" cmdq[" SYSTEM.ADMIN.COMMAND.QUEUE
(+put permission)"] mqprocess[" Queue Manager
(Processes PCF Command)"] modelq[" SYSTEM.DEFAULT.MODEL.QUEUE
(+get permission)"] tempq[" AMQ.12345678
(Temporary Response Queue)"] cmdq --> mqprocess mqprocess -.Creates from model.-> modelq modelq -.-> tempq mqprocess --> tempq end subgraph "Object-Level Security" queues[" Queues
(+dsp +inq if granted)"] channels[" Channels
(+dsp if granted)"] topics[" Topics
(+dsp if granted)"] listeners[" Listeners
(+dsp if granted)"] end agent -->|"1. Send PCF: Inquire Queue Status"| cmdq mqprocess -.->|"2. Check permissions"| queues mqprocess -->|"3. Write response"| tempq agent <-->|"4. Read response"| tempq agent -.->|"5. Close (auto-delete)"| tempq mqprocess -.->|"Permission check"| channels mqprocess -.->|"Permission check"| topics mqprocess -.->|"Permission check"| listeners style cmdq fill:#87CEEB style tempq fill:#FFD700 style mqprocess fill:#90EE90 style queues fill:#E6E6FA style channels fill:#E6E6FA style topics fill:#E6E6FA style listeners fill:#E6E6FA
Diagram: IBM MQ PCF command flow showing how the Queue Manager enforces object-level security even when using SYSTEM.ADMIN.COMMAND.QUEUE.
PCF Command Flow (5 Steps)
- Nodinite sends a PCF request to
SYSTEM.ADMIN.COMMAND.QUEUE(e.g., "Inquire Queue Status for QUEUE.NAME") - IBM MQ Queue Manager creates a temporary dynamic queue based on
SYSTEM.DEFAULT.MODEL.QUEUEfor the response (e.g.,AMQ.12345678) - IBM MQ processes the command and writes the response to the temporary queue
- Nodinite reads the response from the temporary queue
- Nodinite closes the temporary queue (IBM MQ should delete it automatically)
Why Does Nodinite Need SYSTEM.ADMIN.COMMAND.QUEUE Access?
The SYSTEM.ADMIN.COMMAND.QUEUE is the only standard way to send PCF commands to IBM MQ programmatically. Without access to this queue, Nodinite cannot:
- Query queue depths, message counts, or queue states
- Check channel status (started/stopped)
- Monitor topic subscriptions
- Check listener availability
- Execute remote actions (purge queues, download messages)
This is IBM's official administrative interface—there is no alternative mechanism for programmatic monitoring.
Does SYSTEM.ADMIN.COMMAND.QUEUE Access Bypass Security?
No. Access to SYSTEM.ADMIN.COMMAND.QUEUE allows applications to send administrative queries to IBM MQ, but the Queue Manager still enforces object-level security for every operation.
Security Model
IBM MQ validates permissions at the object level, regardless of how the query is submitted:
| Permission Granted | What Nodinite Can Query | What Nodinite Cannot Query |
|---|---|---|
+dsp +inq on queues |
✅ Queue status, message count, age | ❌ Cannot retrieve messages (no +get) |
+dsp on channels |
✅ Channel state (started/stopped) | ❌ Cannot start/stop channels (no +ctrl) |
+dsp on topics |
✅ Topic subscription status | ❌ Nothing else—no additional access |
| No permissions on topics | ❌ Cannot query topics at all | Returns MQRC_NOT_AUTHORIZED |
In other words: SYSTEM.ADMIN.COMMAND.QUEUE access allows Nodinite to submit queries to IBM MQ. The Queue Manager evaluates each query against the configured permissions before returning results.
Example: Configuring Restricted Access
If you want Nodinite to monitor only queues (not topics, channels, or listeners):
# Base Permissions (required)
setmqaut -m QM1 -t qmgr -p "mqadmin" +connect +inq +dsp
setmqaut -m QM1 -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -p "mqadmin" +dsp +inq +put
setmqaut -m QM1 -n "SYSTEM.DEFAULT.MODEL.QUEUE" -t q -p "mqadmin" +dsp +get +inq
# Queue Monitoring ONLY (no topics, channels, listeners)
setmqaut -m QM1 -n "**" -t q -p "mqadmin" +dsp +inq
With this configuration:
- ✅ Nodinite can query queue status via PCF commands
- ❌ Nodinite cannot query topics (no
+dspon topics) → ReturnsMQRC_NOT_AUTHORIZED - ❌ Nodinite cannot query channels (no
+dspon channels) → ReturnsMQRC_NOT_AUTHORIZED - ❌ Nodinite cannot query listeners (no
+dspon listeners) → ReturnsMQRC_NOT_AUTHORIZED
What Are Temporary Queues Used For?
IBM MQ PCF commands use a request/reply pattern. The Queue Manager needs a reply queue to send responses back to the requesting application. This is done using temporary dynamic queues.
How Temporary Queues Work
- Nodinite requests
+getaccess toSYSTEM.DEFAULT.MODEL.QUEUE - IBM MQ Queue Manager creates a temporary queue (e.g.,
AMQ.12345678) based on the model queue - IBM MQ writes the PCF response to the temporary queue
- Nodinite reads the response
- Nodinite closes the queue → IBM MQ should delete it automatically
Are Temporary Queues a Security Risk?
No. Temporary queues contain only PCF command responses specific to the requesting session:
- ✅ Isolated per session - Each monitoring session gets its own temporary queue
- ✅ No business data - Only contains administrative responses (queue depths, channel statuses)
- ✅ Automatic cleanup - Should be deleted when the connection closes
- ✅ Short-lived - Exist only during the PCF command execution (seconds)
The +get permission on SYSTEM.DEFAULT.MODEL.QUEUE only allows reading responses from temporary queues created for that specific session. It does not grant access to other queues or messages.
Why Do Temporary Queues Accumulate (Not Deleted)?
In certain IBM MQ versions, temporary queues may not be automatically deleted after the connection closes, leading to accumulation of unused queues.
Symptoms
- Accumulation of
AMQ.*queues in the Queue Manager (visible in IBM MQ Explorer) - Queue names follow pattern:
AMQ.12345678,AMQ.87654321, etc. - Queues are empty but remain in the system
Root Cause
This behavior has been observed in specific IBM MQ versions where the Queue Manager's automatic cleanup process for temporary queues does not complete as expected.
Affected Versions
- IBM MQ 8.0.4 (most commonly reported)
- Some earlier 8.0.x versions
Recommended Solution
Upgrade IBM MQ to a version with improved temporary queue cleanup:
- 8.0.5+ (includes fixes)
- 9.x (recommended for long-term support)
- 9.1+ (latest stable release)
Interim Workaround
Manually purge temporary queues using IBM MQ Explorer or runmqsc commands:
# Connect to Queue Manager
runmqsc QM1
# Delete temporary queues (replace AMQ.* with actual queue names)
DELETE QLOCAL('AMQ.12345678')
DELETE QLOCAL('AMQ.87654321')
# ... repeat for each AMQ.* queue
# Or use wildcard (IBM MQ 9.0+)
DELETE QLOCAL('AMQ.*')
END
Monitoring for Accumulation
Consider setting up alerts to proactively manage temporary queue growth:
- Monitor queue count where name starts with
AMQ. - Configure alerts if count exceeds a threshold (e.g., 50 temporary queues)
- Schedule periodic cleanup script as an interim measure
Can We Use a Different User or Different Queues?
Customers sometimes ask if there are alternatives to using SYSTEM.ADMIN.COMMAND.QUEUE and temporary queues.
Alternative Approaches (Not Recommended)
| Approach | Possible? | Explanation |
|---|---|---|
| Use a different admin queue | ❌ No | The Queue Manager expects PCF commands on SYSTEM.ADMIN.COMMAND.QUEUE only |
| Avoid temporary queues | ❌ No | IBM MQ requires a reply queue for PCF command responses |
| Use a different user | ❌ Won't help | Permissions are tied to the user account, not the queue mechanism |
| Use a different model queue | ⚠️ Not recommended | Possible but unsupported—SYSTEM.DEFAULT.MODEL.QUEUE is the standard |
| Use permanent reply queues | ⚠️ Complex | Requires custom queue per session + manual cleanup—defeats purpose of dynamic queues |
There is no standard alternative to the PCF command mechanism. This is IBM's official administrative interface.
How Do Other Monitoring Tools Work?
All IBM MQ management and monitoring tools use the same PCF command mechanism as Nodinite.
Comparison to Other Tools
| Tool | Uses SYSTEM.ADMIN.COMMAND.QUEUE? | Uses Temporary Queues? | Same Permissions Required? |
|---|---|---|---|
| Nodinite | ✅ Yes | ✅ Yes | ✅ Yes |
| IBM MQ Explorer | ✅ Yes | ✅ Yes | ✅ Yes |
| IBM MQ Console (Web UI) | ✅ Yes | ✅ Yes | ✅ Yes |
| IBM MQ REST API | ✅ Yes (internally) | ✅ Yes (internally) | ✅ Yes |
| IBM MQ Runmqsc Scripts | ✅ Yes (for remote) | ✅ Yes (for remote) | ✅ Yes |
| Custom monitoring scripts | ✅ Yes (if using PCF) | ✅ Yes (if using PCF) | ✅ Yes |
All monitoring tools that query IBM MQ programmatically use the same mechanism. If your security team objects to Nodinite using this mechanism, they must also object to IBM MQ Explorer, IBM MQ Console, and any other monitoring tool.
What Should We Tell Security-Conscious Customers?
If a customer's security team has concerns about SYSTEM.ADMIN.COMMAND.QUEUE and temporary queue permissions:
Key Points to Communicate
- Standard IBM Interface - This is IBM's official administrative interface, documented in IBM MQ Knowledge Center
- Used by All Tools - IBM MQ Explorer, Console, REST API all use the same mechanism
- Object-Level Security Enforced - Access to the command queue does NOT bypass permissions
- Control via Other Permissions - Restrict monitoring by removing
+dsp +inqfrom object types (queues, topics, channels, listeners) - Temporary Queue Bug is IBM's Issue - Not a Nodinite problem—upgrade IBM MQ to 8.0.5+ or 9.x
Example Customer Conversation
Customer: "We have concerns about granting Nodinite access to SYSTEM.ADMIN.COMMAND.QUEUE because it might enable querying all system resources."
Response: "I appreciate your thorough approach to security. Let me address those concerns:
Industry-standard interface - The
SYSTEM.ADMIN.COMMAND.QUEUEis IBM's documented administrative interface used by all IBM MQ management tools, including IBM MQ Explorer, IBM MQ Console, and monitoring solutions.Security enforcement at object level - Access to
SYSTEM.ADMIN.COMMAND.QUEUEenables applications to submit queries, but IBM MQ validates permissions for each individual object (queues, topics, channels) before returning results.Granular permission control - Your organization maintains full control over what Nodinite can monitor. For example, if you don't grant
+dsppermission on topics, any PCF query for topics will returnMQRC_NOT_AUTHORIZED.Comparable to existing tools - Consider how your current monitoring tools access IBM MQ. Most administrative and monitoring tools use this same PCF command mechanism.
We provide Optimized Permission Sets in the Prerequisites documentation that demonstrate least-privilege configurations for different monitoring scenarios."
Security Recommendations
- Implement least-privilege permissions - Grant access only to monitored object types using the permission sets documented in Prerequisites
- Consider IBM MQ upgrades - Version 8.0.5+ or 9.x includes improvements to temporary queue management
- Establish regular permission audits - Periodically review which object types have
+dsp +inqaccess - Monitor temporary queue patterns - Configure alerts to track
AMQ.*queue accumulation - Engage stakeholders early - Include security teams in the planning process to address concerns proactively
What If We Still Have Security Concerns?
If the customer's security team still has concerns after understanding the PCF command mechanism:
Questions to Ask the Customer
"How do you currently monitor IBM MQ?"
- If using IBM MQ Explorer or Console → These tools require comparable permissions
- If not currently monitoring → Discuss the business value of proactive monitoring and early issue detection
"What specific data are you concerned about Nodinite accessing?"
- PCF commands return administrative metadata (queue depths, channel statuses)
- Message content is only accessible with explicit
+getpermissions (optional, used for specific remote actions only)
"What level of confidence do you have in IBM MQ's security model?"
- If your organization trusts IBM MQ Explorer → Nodinite uses the identical security mechanism
- If there are broader concerns → Consider discussing IBM MQ security architecture with IBM support
"Which object types should Nodinite monitor?"
- Use the response to select the appropriate permission set from the Prerequisites documentation (Options B, C, D)
- Configure permissions to grant access only to the object types relevant to your monitoring requirements
Escalation Path
If security concerns cannot be resolved:
- Engage IBM Support - Request confirmation of PCF command security model and best practices
- Review IBM Documentation - Reference IBM MQ Knowledge Center articles about PCF commands and security architecture
- Conduct Proof of Concept - Set up test environment to demonstrate object-level security enforcement with various permission configurations
- Analyze Current Monitoring - Document permissions used by existing monitoring tools for comparison
Related FAQs
- What IBM MQ User Rights does the IBM MQ Monitoring Agent require? - Detailed permission requirements
- Troubleshooting MQRC_NOT_AUTHORIZED - Resolving authorization errors
- Why version 8.0.4 is not recommended - Temporary queue cleanup bug
Next Step
Configure IBM MQ Permissions
IBM MQ Monitoring Agent Overview
Related Topics
Prerequisites for IBM MQ Monitoring Agent
Troubleshooting IBM MQ Monitoring
IBM MQ Monitoring Agent