Security concepts in IBM MQ for z/OS

Use this topic to understand the importance of security for IBM MQ , and the implications of not having adequate security settings on your system.


Why you must protect IBM MQ resources

IBM MQ handles the transfer of information that is potentially valuable. Applying security ensures that the resources IBM MQ owns and manages are protected from unauthorized access. Such access might lead to the loss or disclosure of the information.

You should ensure that none of the following resources are accessed or changed by any unauthorized user or process:

  • Connections to IBM MQ
  • IBM MQ objects such as queues, processes, and namelists
  • IBM MQ transmission links
  • IBM MQ system control commands
  • IBM MQ messages
  • Context information associated with messages

To provide the necessary security, IBM MQ uses the z/OS® system authorization facility (SAF) to route authorization requests to an External Security Manager (ESM), for example Security Server (previously known as RACF® ). IBM MQ does no security verification of its own. Where distributed queuing or clients are being used, you might require additional security measures, for which IBM MQ provides channel authentication records, channel exits, the MCAUSER channel attribute, and TLS.

The decision to allow access to an object is made by the ESM and IBM MQ follows that decision. If the ESM cannot make a decision, IBM MQ prevents access to the object.


What happens if we do not protect IBM MQ resources

If we do nothing about security, the most likely effect is that all users can access and change every resource. This includes not only local users, but also those on remote systems using distributed queuing or clients, where the logon security controls might be less strict than is normally the case for z/OS.

To enable security checking you must do the following:

  • Install and activate an ESM (for example, Security Server).
  • Define the MQADMIN class if you are using an ESM other than Security Server.
  • Activate the MQADMIN class.

You must consider whether using mixed-case resource names would be beneficial to your enterprise. If we do use mixed-case resource names in your ESM profiles you must define and activate the MXADMIN class.


z/OS Data Set Encryption

Data Set Encryption (DSE) provides the capability to encrypt z/OS data sets, so that the data they contain can only be viewed or modified by user IDs granted the specific permission. This provides encryption of data at rest in the file system, and prevents inadvertent disclosure of sensitive information to users who have a legitimate business need and permissions to manage the data sets themselves.

IBM MQ for z/OS does not support use of DSE with the active logs, page sets, and shared message data sets (SMDS) that provide the primary persistence mechanisms for IBM MQ messages. Instead, Advanced Message Security provides an end-to-end encryption solution for IBM MQ messaging, which encompasses the entire IBM MQ network, encryption of data in flight, at rest, and even inside the runtime IBM MQ processes.

Other VSAM and sequential data sets used in an IBM MQ subsystem can be encrypted using DSE. For example:

  • Bootstrap data set (BSDS)
  • Sequential files holding system configuration (MQSC) commands read at startup using CSQINPx DDNAMEs
  • IBM MQ archive logs, often used for long term archival of IBM MQ log data for audit purposes.
We can encrypt using DSE by allocating a dataclass that is defined with a data set key label. For more information, see Plan your log archive storage.