Implement your ESM security controls

Implement security controls for queue managers and the channel initiator.

  • Repeat this task for each IBM MQ queue manager.
  • You might need to perform this task when migrating from a previous version.

If we use RACF® as your external security manager, see Set up security on z/OS® , which describes how to implement these security controls.

If you are using the channel initiator, you must also do the following:

  • If your subsystem has connection security active, define a connection security profile ssid.CHIN to your external security manager (see Connection security profiles for the channel initiator for information about this).
  • If you are using Transport Layer Security (TLS) or a sockets interface, ensure that the user ID under whose authority the channel initiator is running is configured to use UNIX System Services, as described in the OS/390® UNIX System Services Planning documentation.
  • If you are using TLS, ensure that the user ID under whose authority the channel initiator is running is configured to access the key ring specified in the SSLKEYR parameter of the ALTER QMGR command.
Before you start the queue manager, set up IBM MQ data set and system security by:

  • Authorizing the queue manager started task procedure to run under your external security manager.
  • Authorizing access to the queue manager data sets.
For details about how to do this, see Security installation tasks for z/OS(r).

If you are using RACF, provided we use the RACF STARTED class, we do not need to perform an IPL of your system (see RACF authorization of started-task procedures ).