Resources we can protect in IBM MQ for z/OS
When a queue manager starts, or when instructed by an operator command, IBM MQ for z/OSĀ® determines which resources you want to protect.
We can control which security checks are performed for each individual queue manager. For example, we can implement a number of security checks on a production queue manager, but none on a test queue manager.
Connection security
Connection security checking is carried out either when an application program tries to connect to a queue manager. It is done by issuing an MQCONN or MQCONNX request, or when the channel initiator, or CICSĀ® or IMS adapter issues a connection request.
If you are using queue manager level security, we can turn connection security checking off for a particular queue manager. However, if we do this any user can connect to that queue manager.
For the CICS adapter, only the CICS address space user ID is used for the connection security check, not the individual CICS terminal user ID. For the IMS adapter, when the IMS control or dependent regions connect to IBM MQ, the IMS address space user ID is checked. For the channel initiator, the user ID used by the channel initiator address space is checked.
We can turn connection security checking on or off at either queue manager or queue-sharing group level.
Command security
Command security checking is carried out when a user issues an MQSC command from any of the sources described in Issuing commands. We can make a separate check on the resource specified by the command as described in Command resource security.
If you turn off command checking, issuers of commands are not checked to see whether they have the authority to issue the command.
If MQSC commands are entered from a console, the console must have the z/OS SYS console authority attribute. Commands that are issued from the CSQINP1 or CSQINP2 data sets, or internally by the queue manager, are exempt from all security checking while those for CSQINPX use the user ID of the channel initiator address space. You must control who is allowed to update these data sets through normal data set protection.
We can turn command security checking on or off at either queue manager or queue sharing group level.
Command resource security
Some MQSC commands, for example defining a local queue, involve the manipulation of IBM MQ resources. When command resource security is active, each time a command involving a resource is issued, IBM MQ checks to see if the user is allowed to change the definition of that resource.
We can use command resource security to help enforce naming standards. For example, a payroll administrator might be allowed to delete and define only queues with names beginning "PAYROLL". If command resource security is inactive, no security checks are made on the resource that is being manipulated by the command. Do not confuse command resource security with command security; the two are independent.
Turning off command resource security checking does not affect the resource checking that is done specifically for other types of processing that do not involve commands.
We can turn command resource security checking on or off at either queue manager or queue sharing group level.
Channel security considerations
- Channel security
-
When you are using channels, the security features available depend on which communications protocol you are going to use. If we use TCP, there are no security features provided with the communications protocol, although we can use TLS. If you are using APPC, we can flow user ID information from the sending MCA through the network to the destination MCA for verification.
For both protocols, we can specify which user IDs you want to check for security purposes, and how many. Again, the choices available to you depend on which protocol you are using, what you specify when you define the channel, and the RESLEVEL settings for the channel initiator.
For more information about the types of channel security available see Channel authentication records and Security exit overview