Considerations for model queues
To open a model queue, we must be able to open both the model queue itself and the dynamic queue to which it resolves. Define generic RACF profiles for dynamic queues, including dynamic queues used by IBM MQ utilities.
When you open a model queue, IBM MQ security makes two queue security checks:
- Are you authorized to access the model queue?
- Are you authorized to access the dynamic queue to which the model queue resolves?
If the dynamic queue name contains a trailing asterisk (*) character, this * is replaced by a character string generated by IBM MQ, to create a dynamic queue with a unique name. However, because the whole name, including this generated string, is used for checking authority, we should define generic profiles for these queues.
For example, an MQOPEN call uses a model queue name of CREDIT.CHECK.REPLY.MODEL and a dynamic queue name of CREDIT.REPLY.* on queue manager (or queue sharing group) MQSP.
To do this, we must issue the following RACF commands to define the necessary queue profiles:RDEFINE MQQUEUE MQSP.CREDIT.CHECK.REPLY.MODEL RDEFINE MQQUEUE MQSP.CREDIT.REPLY.**We must also issue the corresponding RACF PERMIT commands to allow the user access to these profiles.
A typical dynamic queue name created by an MQOPEN is something like CREDIT.REPLY.A346EF00367849A0. The precise value of the last qualifier is unpredictable; this is why we should use generic profiles for such queue names.
A number of IBM MQ utilities put messages on dynamic queues. We should define profiles for the following dynamic queue names, and provide RACF UPDATE access to the relevant user IDs (see User IDs for security checking on z/OS for the correct user IDs):SYSTEM.CSQUTIL.* (used by CSQUTIL) SYSTEM.CSQOREXX.* (used by the operations and control panels) SYSTEM.CSQXCMD.* (used by the channel initiator when processing CSQINPX) CSQ4SAMP.* (used by the IBM MQ supplied samples)We might also consider defining a profile to control use of the dynamic queue name used by default in the application programming copy members. The IBM MQ-supplied copybooks contain a default DynamicQName, which is CSQ.*. This enables an appropriate RACF profile to be established.
Note: Do not allow application programmers to specify a single * for the dynamic queue name. If you do, we must define an hlq.** profile in the MQQUEUE class, and you would have to give it wide-ranging access. This means that this profile could also be used for other non-dynamic queues that do not have a more specific RACF profile. Your users could, therefore, gain access to queues we do not want them to access. Parent topic: Profiles for queue security