Granting security permissions
When using command resource security we must set up permissions to allow Advanced Message Security to function. This topic uses RACF commands in the examples. If your enterprise uses a different external security manager (ESM) we must use the equivalent commands for that ESM.
There are three aspects to granting security permissions:Notes: The example commands use the following variables.
- QMgrName - the name of the queue manager.
On z/OS, this value can also be the name of a queue sharing group.
- username - this can be a group name.
- The examples show the MQQUEUE class. this can also be MXQUEUE, GMQQUEUE or GMXQUEUE. See Profiles for queue security for further information.
Furthermore, if the profile already exists, we do not require the RDEFINE command.
The AMSM address space
We need to issue some IBM MQ security to the user name that the Advanced Message Security address space runs under.
- For batch connection to the queue manager, issue
RDEFINE MQCONN QMgrName.BATCH UACC(NONE) PERMIT QMgrName.BATCH CLASS(MQCONN) ID(username) ACCESS(READ)- For access to the SYSTEM.PROTECTION.POLICY.QUEUE, issue:
RDEFINE MQQUEUE QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE UACC(NONE) PERMIT QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE CLASS(MQQUEUE) ID(username) ACCESS(READ)
CSQ0UTIL
The utility that allows users to run the setmqspl and dspmqspl commands requires the following permissions, where the user name is the job user ID:
- For batch connection to the queue manager, issue:
RDEFINE MQCONN QMgrName.BATCH UACC(NONE) PERMIT QMgrName.BATCH CLASS(MQCONN) ID(username) ACCESS(READ)- For access to the SYSTEM.PROTECTION.POLICY.QUEUE, required for the setmqpol command, issue:
RDEFINE MQQUEUE QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE UACC(NONE) PERMIT QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE CLASS(MQQUEUE) ID(username) ACCESS(ALTER)- For access to the SYSTEM.PROTECTION.POLICY.QUEUE, required for the dspmqpol command, issue:
RDEFINE MQQUEUE QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE UACC(NONE) PERMIT QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE CLASS(MQQUEUE) ID(username) ACCESS(READ)
Use queues that have an Advanced Message Security policy defined
When an application does any work with queues that have a policy defined on them, that application requires additional permissions to allow Advanced Message Security to protect messages.
The application requires:
- Read access to the SYSTEM.PROTECTION.POLICY.QUEUE. Do this by issuing:
RDEFINE MQQUEUE QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE UACC(NONE) PERMIT QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE CLASS(MQQUEUE) ID(username) ACCESS(READ)- Put access to the SYSTEM.PROTECTION.ERROR.QUEUE. Do this by issuing:
RDEFINE MQQUEUE QMgrName.SYSTEM.PROTECTION.ERROR.QUEUE UACC(NONE) PERMIT QMgrName.SYSTEM.PROTECTION.ERROR.QUEUE CLASS(MQQUEUE) ID(username) ACCESS(READ)Parent topic: Administer Advanced Message Security security polices