Setting up the security environment for IBM® MQ
Z Data Tools provides security features to secure access to MQ resources when using Z Data Tools functions.
These features work in conjunction with IBM® MQ security, not as a replacement. If access is not restricted by Z Data Tools, it may still be restricted by IBM® MQ security. Similarly, if access is not restricted by IBM® MQ security, it may still be restricted by Z Data Tools security. Z Data Tools security features for MQ are only applicable when accessing MQ resources using Z Data Tools.
Z Data Tools security for MQ is applicable to the user attempting to use a Z Data Tools function that accesses an MQ resource. By default, Z Data Tools does not secure access to MQ resources.
Activating security for a queue manager
To secure a queue manager, you must define a security resource indicating that security is required for a nominated queue manager on a given sysplex.
RDEFINE FACILITY HFMMQ.SECURITY.SYSPLEXD.CSQ1 UACC(READ)
Granting READ access to a user indicates that Z Data Tools security is applicable to that user for the nominated queue manager on the nominated sysplex. If no access is granted, security is not active. When security is active, users must be granted further access to resources to access the queue manager’s attributes and queues. If security is not active for a queue manager, Z Data Tools permissions related to the queue manager do not apply.
Securing queue manager resources
When security is active for a queue manager, a user cannot access any of a queue manager’s resources unless the user has at least READ access to a security resource of the form HFMMQ.sysplex.qmgr defined to the XFACILIT class.
RDEFINE XFACILIT HFMMQ.SYSPLEXD.CSQ1 UACC(NONE)
PERMIT HFMMQ.SYSPLEXD.CSQ1 CLASS(XFACILIT) ID(JOHND) ACCESS(READ)
PERMIT HFMMQ.SYSPLEXD.CSQ1 CLASS(XFACILIT) ID(JOHND) ACCESS(ALTER) ALTER
Securing queue messages
When security is active for a queue manager, a user cannot access a queue’s messages unless the user has at least READ access to a security resource of the form HFMMQ.sysplex.qmgr.queue defined to the XFACILIT class.
RDEFINE XFACILIT HFMMQ.SYSPLEXD.CSQ1.* UACC(NONE)
PERMIT HFMMQ.SYSPLEXD.CSQ1.* CLASS(XFACILIT) ID(JOHND) ACCESS(READ)
PERMIT HFMMQ.SYSPLEXD.CSQ1.* CLASS(XFACILIT) ID(JOHND) ACCESS(UPDATE)
UPDATE authority also allows a user to reset or clear a queue’s messages.
Securing Z Data Tools commands
When security is active for a queue manager, a user must have appropriate access to target MQ resources pertinent to the Z Data Tools command being executed.
There is a range of commands that can affect IBM® MQ resources. In each case the following security resource definitions and permissions are required:
- When a command reads a queue manager’s attributes or its queue’s attributes, the requesting user must have READ authority to resource HFMMQ.sysplex.qmgr in the XFACILIT class for the queue manager being read.
- When a command alters a queue manager’s attributes or defines a queue, the requesting user must have ALTER authority to resource HFMMQ.sysplex.qmgr in the XFACILIT class for the queue manager being modified.
- When a command reads message data, the requesting user must have READ authority to resource HFMMQ.sysplex.qmgr.queue in the XFACILIT class for the queue being read.
- When a command updates message data, the requesting user must have UPDATE authority to resource HFMMQ.sysplex.qmgr.queue in the XFACILIT class for the queue being updated.
Securing message context
Z Data Tools uses MQ security controls to edit messages and message context.
When a Z Data Tools session is started, Z Data Tools checks if the user has CONTROL access to the qmgr.CONTEXT.queue resource in the MQADMIN class. For some External Security Managers, this check might require certain permissions. When a message is updated, the MQ message context is preserved if the user has CONTROL access to the qmgr.CONTEXT.queue resource in the MQADMIN class. If not, the message context is replaced with a default message context in accordance with the MQ normal operation.