Security considerations for connecting to IMS

Grant the user ID of the IBM MQ queue manager address space access to the OTMA group.

The IMS bridge is an OTMA client. The connection to IMS operates under the user ID of the IBM MQ queue manager address space. This is normally defined as a member of the started task group. This user ID must be granted access to the OTMA group (unless the /SECURE OTMA setting is NONE).

To do this, define the following profile in the FACILITY class: 

IMSXCF.xcfgname.mqxcfmname

Where xcfgname is the XCF group name and mqxcfmname is the XCF member name of IBM MQ.

We must give the IBM MQ queue manager user ID read access to this profile. Note:
  1. If we change the authorities in the FACILITY class, we must issue the RACF command SETROPTS RACLIST(FACILITY) REFRESH to activate the changes.
  2. If profile hlq.NO.SUBSYS.SECURITY exists in the MQADMIN class, no user ID is passed to IMS and the connection fails unless the /SECURE OTMA setting is NONE.

Parent topic: Security considerations for using IBM MQ with IMS