Profiles for context security

IBM MQ uses profiles for controlling access to the context information specific to a particular message. The context is contained within the message descriptor (MQMD).


Use profiles for context security

If context security is active, you must:

  • Define a profile in the MQADMIN class if using uppercase profiles.
  • Define profile in the MXADMIN class if using mixed case profiles.
The profile is called hlq.CONTEXT.queuename, where:

    hlq
    Can be either qmgr-name (queue manager name) or qsg-name (queue sharing group name).

    queuename
    Can be either the full name of the queue you want to define the context profile for, or a generic profile.

A profile prefixed by the queue manager name, and with ** specified as the queue name, allows control for context security on all queues belonging to that queue manager. This can be overridden on an individual queue by defining a queue level profile for context on that queue.

A profile prefixed by the queue sharing group name, and with ** specified as the queue name, allows control for context on all queues belonging to the queue managers within the queue sharing group. This can be overridden on an individual queue manager by defining a queue manager level profile for context on that queue manager, by specifying a profile prefixed by the queue manager name. It can also be overridden on an individual queue by specifying a profile suffixed with the queue name.

If your queue manager is a member of a queue sharing group and you are using both queue manager and queue sharing group level security, IBM MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue sharing group name.

You must give the necessary groups or user IDs access to this profile. The following table shows the access level required, depending on the specification of the context options when the queue is opened.

Table 1. Access levels for context security
MQOPEN or MQPUT1 option RACF® access level required to hlq.CONTEXT.queuename
MQPMO_NO_CONTEXT No context security check
MQPMO_DEFAULT_CONTEXT No context security check
MQOO_SAVE_ALL_CONTEXT No context security check
MQOO_PASS_IDENTITY_CONTEXT MQPMO_PASS_IDENTITY_CONTEXT READ
MQOO_PASS_ALL_CONTEXT MQPMO_PASS_ALL_CONTEXT READ
MQOO_SET_IDENTITY_CONTEXT MQPMO_SET_IDENTITY_CONTEXT UPDATE
MQOO_SET_ALL_CONTEXT MQPMO_SET_ALL_CONTEXT CONTROL
MQOO_OUTPUT or MQPUT1 (USAGE(XMITQ)) CONTROL
MQSUB option  
MQSO_SET_IDENTITY_CONTEXT ( Note 2 ) UPDATE
Note:
  1. The user IDs used for distributed queuing require CONTROL access to hlq.CONTEXT.queuename to put messages on the destination queue. See User IDs used by the channel initiator for information about the user IDs used.
  2. If on the MQSUB request, with MQSO_CREATE or MQSO_ALTER options specified, you want to set any of the identity context fields in the MQSD structure, you need to specify the MQSO_SET_IDENTITY_CONTEXT option. You require also, the appropriate authority to the context profile for the destination queue.

If you put commands on the system-command input queue, use the default context put message option to associate the correct user ID with the command.

For example, the IBM MQ-supplied utility program CSQUTIL can be used to offload and reload messages in queues. When offloaded messages are restored to a queue, the CSQUTIL utility uses the MQOO_SET_ALL_CONTEXT option to return the messages to their original state. In addition to the queue security required by this open option, context authority is also required. For example, if this authority is required by the group BACKGRP on queue manager MQS1, this would be defined by:
RDEFINE MQADMIN MQS1.CONTEXT.** UACC(NONE)
PERMIT MQS1.CONTEXT.** CLASS(MQADMIN) ID(BACKGRP) ACCESS(CONTROL)
Depending on the options specified, and the types of security performed, other types of security checks might also occur when the queue is opened. These include queue security (see Profiles for queue security ), and alternate user security (see Profiles for alternate user security ). For a summary table showing the open options and the security checks required when queue, context and alternate user security are all active, see Table 1.


System queue context security

Many of the system queues are accessed by the ancillary parts of IBM MQ, for example the channel initiator address space, and the IBM WebSphere Application Server Liberty Profile for IBM MQ server (WLP for MQ Server) used by the IBM MQ Console and administrative REST API.

The user IDs under which these run under must be given RACF access to these queues, as shown in Table 2.

Table 2. Access required to the SYSTEM queues for context operations
SYSTEM queue Channel Initiator for Distributed queuing WLP for MQ Server
SYSTEM.ADMIN.COMMAND.QUEUE - CONTROL
SYSTEM.BROKER.CONTROL.QUEUE CONTROL -
SYSTEM.BROKER.INTER.BROKER.COMMUNICATIONS CONTROL -
SYSTEM.CHANNEL.SYNCQ CONTROL -
SYSTEM.CLUSTER.COMMAND.QUEUE CONTROL -
SYSTEM.CLUSTER.TRANSMIT.QUEUE CONTROL -