Security checking on IMS
Messages that pass across the bridge contain security information. The security checks made depend on the setting of the IMS command /SECURE OTMA.
Each IBM MQ message that passes across the bridge contains the following security information:- A user ID contained in the UserIdentifier field of the MQMD structure
- The security scope contained in the SecurityScope field of the MQIIH structure (if the MQIIH structure is present)
- A UTOKEN (unless the IBM MQ sub system has CONTROL or ALTER access to the relevant IMSXCF.xcfgname.imsxcfmname profile)
The security checks made depend on the setting of the IMS command /SECURE OTMA, as follows:
- /SECURE OTMA NONE
- No security checks are made for the transaction.
- /SECURE OTMA CHECK
- The UserIdentifier field of the MQMD structure is passed to IMS for transaction or command authority checking.
An ACEE (Accessor Environment Element) is built in the IMS control region.
- /SECURE OTMA FULL
- The UserIdentifier field of the MQMD structure is passed to IMS for transaction or command authority checking.
An ACEE is built in the IMS dependent region as well as the IMS control region.
- /SECURE OTMA PROFILE
- The UserIdentifier field of the MQMD structure is passed to IMS for transaction or command authority checking
The SecurityScope field in the MQIIH structure is used to determine whether to build an ACEE in the IMS dependent region as well as the control region.
Note:
- If we change the authorities in the TIMS or
CIMS class, or the associated group classes
GIMS or DIMS, we must issue the following IMS commands to activate the changes:
- /MODIFY PREPARE RACF
- /MODIFY COMMIT
- If we do not use /SECURE OTMA PROFILE, any value specified in the SecurityScope field of the MQIIH structure is ignored.
Parent topic: Security considerations for using IBM MQ with IMS