Security considerations for using IBM MQ with IMS

Use this topic to plan your security requirements when we use IBM MQ with IMS.

Use the OPERCMDS class

If we are using RACF to protect resources in the OPERCMDS class, ensure that the userid associated with the IBM MQ queue manager address space has authority to issue the MODIFY command to any IMS system to which it can connect.

Security considerations for the IMS bridge

There are four aspects that we must consider when deciding your security requirements for the IMS bridge, these are:

• What security authorization is needed to connect IBM MQ to IMS
• How much security checking is performed on applications using the bridge to access IMS
• Which IMS resources these applications are allowed to use
• What authority is to be used for messages that are put and got by the bridge

When you define your security requirements for the IMS bridge we must consider the following:

• Messages passing across the bridge might have originated from applications on platforms that do not offer strong security features
• Messages passing across the bridge might have originated from applications that are not controlled by the same enterprise or organization

• Security considerations for connecting to IMS
  Grant the user ID of the IBM MQ queue manager address space access to the OTMA group.
• Application access control for the IMS bridge
  Define a RACF profile in the FACILITY class for each IMS system. Grant an appropriate level of access to the IBM MQ queue manager user ID.
• Security checking on IMS
  Messages that pass across the bridge contain security information. The security checks made depend on the setting of the IMS command /SECURE OTMA.
• Security checking done by the IMS bridge
  Different authorities are used depending on the action being performed.
• Use RACF PassTickets in the IMS header
  We can use a PassTicket in place of a password in the IMS header.

Parent topic: Set up security on z/OS