Set up security on z/OS

Set up security on z/OS

Security considerations specific to z/OS®.

Security in IBM MQ for z/OS is controlled using RACF® or an equivalent external security manager (ESM).

If a userid has uid0, it has access to the entire file system, that is, Superuser access. Under RACF, the only way to restrict this is by using the feature FSACCESS, which can restrict access at the file system level by RACF userid. For more information, see Use the FSACCESS class profile to restrict access in the z/OS UNIX System Services Planning documentation.

The following instructions assume that you are using RACF.

RACF security classes
RACF classes are used to hold the profiles required for IBM MQ security checking. Many of the member classes have equivalent group classes. You must activate the classes and enable them to accept generic profiles
RACF profiles
All RACF profiles used by IBM MQ contain a prefix, which is either the queue manager name or the queue sharing group name. Be careful when we use the percent sign as a wildcard.
Switch profiles
To control the security checking performed by IBM MQ, we use switch profiles. A switch profile is a normal RACF profile that has a special meaning to IBM MQ. The access list in switch profiles is not used by IBM MQ.
Profiles used to control access to IBM MQ resources
You must define RACF profiles to control access to IBM MQ resources, in addition to the switch profiles that might have been defined. This collection of topics contains information about the RACF profiles for the different types of IBM MQ resource.
The RESLEVEL security profile
We can define a special profile in the MQADMIN or MXADMIN class to control the number of user IDs checked for API-resource security. This profile is called the RESLEVEL profile. How this profile affects API-resource security depends on how you access IBM MQ.
User IDs for security checking on z/OS
IBM MQ initiates security checks based on user IDs associated with users, terminals, applications, and other resources. This collection of topics lists which user IDs are used for each type of security check.
z/OS user IDs and Multi-Factor Authentication (MFA)
IBM Multi-Factor Authentication for z/OS allows z/OS security administrators to enhance SAF authentication, by requiring identified users to use multiple authentication factors (for example, both a password and a cryptographic token) to sign on to a z/OS system. IBM MFA also provides support for time-based one time password generation technologies such as RSA SecureId.
IBM MQ for z/OS security management
IBM MQ uses an in-storage table to hold information relating to each user and the access requests made by each user. To manage this table efficiently and to reduce the number of requests made from IBM MQ to the external security manager (ESM), a number of controls are available.
Security installation tasks for z/OS
After installing and customizing IBM MQ, authorize started task procedures to RACF, authorize access to various resources, and set up RACF definitions. Optionally, configure your system for TLS.
Managing channel authentication records in a QSG
Channel authentication records apply to the queue manager that they are created on, they are not shared throughout the queue sharing group (QSG). Therefore if all the queue managers in the queue sharing group are required to have the same rules, some management needs to be carried out to keep all the rules the consistent.
Auditing considerations on z/OS
The normal RACF auditing controls are available for conducting a security audit of a queue manager. IBM MQ does not gather any security statistics of its own. The only statistics are those that can be created by auditing.
Customizing security
If you want to change the way IBM MQ security operates, you must do this through the SAF exit (ICHRFR00), or exits in your external security manager.
Security violation messages on z/OS
A security violation is indicated by the return code MQRC_NOT_AUTHORIZED in an application program or by a message in the job log.
What to do if access is allowed or disallowed incorrectly
In addition to the steps detailed in the z/OS Security Server RACF Security Administrator's Guide, use this checklist if access to a resource appears to be incorrectly controlled.
Security considerations for the channel initiator on z/OS
If you are using resource security in a distributed queuing environment, the Channel initiator address space needs appropriate access to various IBM MQ resources. We can use the Integrated Cryptographic Support Facility (ICSF) to seed the password protection algorithm.
Security in queue manager clusters on z/OS
Security considerations for clusters are the same for queue managers and channels that are not clustered. The channel initiator needs access to some additional system queues, and some additional commands need appropriate security set.
Security considerations for using IBM MQ with CICS
All the CICS® versions supported by IBM MQ Version 9.0.0, and later, use the CICS supplied version of the adapter and bridge.
Security considerations for using IBM MQ with IMS
Use this topic to plan your security requirements when we use IBM MQ with IMS.
Parent topic: Set up security

Related information

Security scenario: two queue managers on z/OS
Security scenario: queue sharing group on z/OS