Application access control for the IMS bridge

Define a RACF profile in the FACILITY class for each IMS system. Grant an appropriate level of access to the IBM MQ queue manager user ID.

For each IMS system that the IMS bridge connects to, we can define the following RACF profile in the FACILITY class to determine how much security checking is performed for each message passed to the IMS system.

IMSXCF.xcfgname.imsxcfmname

Where xcfgname is the XCF group name and imsxcfmname is the XCF member name for IMS. (We need to define a separate profile for each IMS system.)

The access level you allow for the IBM MQ queue manager user ID in this profile is returned to IBM MQ when the IMS bridge connects to IMS, and indicates the level of security that is required on subsequent transactions. For subsequent transactions, IBM MQ requests the appropriate services from RACF and, where the user ID is authorized, passes the message to IMS.

OTMA does not support the IMS /SIGN command; however, IBM MQ allows you to set the access checking for each message to enable implementation of the necessary level of control.

The following access level information can be returned:

    NONE or NO PROFILE FOUND
    These values indicate that maximum security is required, that is, authentication is required for every transaction. A check is made to verify that the user ID specified in the UserIdentifier field of the MQMD structure, and the password or PassTicket in the Authenticator field of the MQIIH structure are known to RACF, and are a valid combination. A UTOKEN is created with a password or PassTicket, and passed to IMS ; the UTOKEN is not cached. Note: If profile hlq.NO.SUBSYS.SECURITY exists in the MQADMIN class, this level of security overrides whatever is defined in the profile.

    READ
    This value indicates that the same authentication is to be performed as for NONE under the following circumstances:

    • The first time that a specific user ID is encountered
    • When the user ID has been encountered before but the cached UTOKEN was not created with a password or PassTicket

    IBM MQ requests a UTOKEN if required, and passes it to IMS. Note: If a request to reverify security has been acted on, all cached information is lost and a UTOKEN is requested the first time each user ID is later encountered.

    UPDATE
    A check is made that the user ID in the UserIdentifier field of the MQMD structure is known to RACF.

    A UTOKEN is built and passed to IMS ; the UTOKEN is cached.

    CONTROL/ALTER
    These values indicate that no security UTOKENs need to be provided for any user IDs for this IMS system. (You would probably only use this option for development and test systems.) Attention: Note that the user ID contained in the UserIdentifier field of the MQMD structure is still passed for CONTROL/ALTER.

Note:

  1. This access is defined when IBM MQ connects to IMS, and lasts for the duration of the connection. To change the security level, the access to the security profile must be changed and then the bridge stopped and restarted (for example, by stopping and restarting OTMA).
  2. If we change the authorities in the FACILITY class, we must issue the RACF command SETROPTS RACLIST(FACILITY) REFRESH to activate the changes.
  3. We can use a password or a PassTicket, but we must remember that the IMS bridge does not encrypt data. For information about using PassTickets, see Use RACF PassTickets in the IMS header.
  4. Some of these results might be affected by security settings in IMS, using the /SECURE OTMA command.
  5. Cached UTOKEN information is held for the duration defined by the INTERVAL and TIMEOUT parameters of the IBM MQ ALTER SECURITY command.
  6. The RACF WARNING option has no effect on the IMSXCF.xcfgname.imsxcfmname profile. Its use does not affect the level of access granted, and no RACF WARNING messages are produced.

Parent topic: Security considerations for using IBM MQ with IMS