Security considerations for using IBM MQ with IMS

Security considerations for using IBM MQ with IMS

Use this topic to plan your security requirements when we use IBM MQ with IMS.

Use the OPERCMDS class

If you are using RACF® to protect resources in the OPERCMDS class, ensure that the userid associated with your IBM MQ queue manager address space has authority to issue the MODIFY command to any IMS system to which it can connect.

Security considerations for the IMS bridge
There are four aspects that you must consider when deciding your security requirements for the IMS bridge, these are:

What security authorization is needed to connect IBM MQ to IMS
How much security checking is performed on applications using the bridge to access IMS
Which IMS resources these applications are allowed to use
What authority is to be used for messages that are put and got by the bridge
When you define your security requirements for the IMS bridge you must consider the following:

Messages passing across the bridge might have originated from applications on platforms that do not offer strong security features
Messages passing across the bridge might have originated from applications that are not controlled by the same enterprise or organization

Security considerations for connecting to IMS
Grant the user ID of the IBM MQ queue manager address space access to the OTMA group.
Application access control for the IMS bridge
Define a RACF profile in the FACILITY class for each IMS system. Grant an appropriate level of access to the IBM MQ queue manager user ID.
Security checking on IMS
Messages that pass across the bridge contain security information. The security checks made depend on the setting of the IMS command /SECURE OTMA.
Security checking done by the IMS bridge
Different authorities are used depending on the action being performed.
Use RACF PassTickets in the IMS header
We can use a PassTicket in place of a password in the IMS header.
Parent topic: Set up security on z/OS