+

Search Tips | Advanced Search

Set up security on IBM i

Security on IBM i is implemented using the IBM MQ Object Authority Manager (OAM) and IBM i object level security.

Security considerations that must be made when determining access authority to IBM MQ objects.

We need to consider the following points when setting up authorities to the users in your enterprise:
  1. Grant and revoke authorities to the IBM MQ for IBM i commands using the IBM i GRTOBJAUT and RVKOBJAUT commands.

    In the QMQM library, certain noncommand (*cmd) objects are set to have *PUBLIC authority to *USE. Do not change the authorities of these objects or use an authorization list to provide authority. Any incorrect authority might compromise IBM MQ functionality.

  2. During installation of IBM MQ for IBM i, the following special user profiles are created:

      QMQM
      Is used primarily for internal product-only functions. However, it can be used to run trusted applications using MQCNO_FASTPATH_BINDINGS. See Connect to a queue manager using the MQCONNX call.

      QMQMADM
      Is used as a group profile for administrators of IBM MQ. The group profile gives access to CL commands and IBM MQ resources.

    When using SBMJOB to submit programs that call IBM MQ commands, USER must not be set explicitly to QMQMADM. Instead, set USER to QMQM or another user profile that has QMQMADM specified as a group.

  3. If we are sending channel commands to remote queue managers, ensure that your user profile is a member of the group QMQMADM on the target system. For a list of PCF and MQSC channel commands, see IBM MQ for IBM i CL commands.
  4. The group set associated with a user is cached when the group authorizations are computed by the OAM.

    Any changes made to a user's group memberships after the group set has been cached are not recognized until you restart the queue manager or execute RFRMQMAUT to refresh security.

  5. Limit the number of users who have authority to work with commands that are particularly sensitive. These commands include:

    • Create Message Queue Manager ( CRTMQM )
    • Delete Message Queue Manager ( DLTMQM )
    • Start Message Queue Manager ( STRMQM )
    • End Message Queue Manager ( ENDMQM )
    • Start Command Server ( STRMQMCSVR )
    • End Command Server ( ENDMQMCSVR )

  6. Channel definitions contain a security exit program specification. Channel creation and modification requires special considerations. Details of security exits are given in Security exit overview.
  7. The channel exit and trigger monitor programs can be substituted. The security of such replacements is the responsibility of the programmer.

  • Object authority manager on IBM i
    The object authority manager (OAM) manages users' authorizations to manipulate IBM MQ objects, including queues and process definitions. It also provides a command interface through which we can grant or revoke access authority to an object for a specific group of users. The decision to allow access to a resource is made by the OAM, and the queue manager follows that decision. If the OAM cannot make a decision, the queue manager prevents access to that resource.
  • IBM MQ authorities on IBM i
    To access IBM MQ objects, we need authority to issue the command and to access the object referenced. Administrators have access to all IBM MQ resources.
  • Authorization specification tables on IBM i
    Use this information to determine what authorization is required to use particular API calls, and particular options of those calls, on queue objects, process objects, and queue manager objects.
  • Generic OAM profiles on IBM i
    Object authority manager (OAM) generic profiles enable you to set the authority a user has to many objects at once, rather than having to issue separate GRTMQMAUT commands against each individual object when it is created. Using generic profiles in the GRTMQMAUT command enables you to set a generic authority for all future objects created that fit that profile.
  • Specify the installed authorization service on IBM i
    We can specify which authorization service component to use.
  • Work with and without authority profiles on IBM i
    Use this information to learn how to work with authority profiles and how to work without authority profiles.
  • Object Authority Manager guidelines on IBM i
    Additional hints and tips for using the object authority manager (OAM)

Parent topic: Set up security

Last updated: 2020-10-04