Implement your ESM security controls
Implement security controls for queue managers and the channel initiator.
- Repeat this task for each IBM MQ queue manager.
- We might need to perform this task when migrating from a previous version.
If we use RACF as your external security manager, see Set up security on z/OS , which describes how to implement these security controls.
If we are using the channel initiator, we must also do the following:- If your subsystem has connection security active, define a connection security profile ssid.CHIN to your external security manager (see Connection security profiles for the channel initiator for information about this).
- If we are using Transport Layer Security (TLS) or a sockets interface, ensure that the user ID under whose authority the channel initiator is running is configured to use UNIX System Services, as described in the OS/390 UNIX System Services Planning documentation.
- If we are using TLS, ensure that the user ID under whose authority the channel initiator is running is configured to access the key ring specified in the SSLKEYR parameter of the ALTER QMGR command.
Before starting the queue manager, set up IBM MQ data set and system security by:
- Authorizing the queue manager started task procedure to run under your external security manager.
- Authorizing access to the queue manager data sets.
- Configure z/OS data set
encryption if required.
See the section, confidentiality for data at rest on IBM MQ for z/OS with data set encryption. for more information.
For details about how to do this, see Security installation tasks for z/OS.
If we are using RACF, provided we use the RACF STARTED class, we do not need to perform an IPL of our system (see RACF authorization of started-task procedures ).
Parent topic: Configure the queue manager and channel initiatorRelated concepts