Security considerations for the IBM MQ Console and REST API on z/OS

The IBM MQ Console and REST API have security features controlling whether a user can issue, display, or alter commands. The commands are then passed to the queue manager, and the queue manager security is then used to control if the user is allowed to issue the command to that specific queue manager.


Procedure

  1. Ensure that the mqweb server started task user ID has appropriate authorities to issue certain PCF commands and access certain queues. For more information, see Authority required by the mqweb server started task user ID.
  2. Ensure that any users that are granted the MQWebUser role have appropriate authorities.

    IBM MQ Console and REST API users that are assigned to the MQWebUser role operate under the security context of the principal. These user IDs can only perform operations that the user ID is granted to perform on the queue manager, and need to be granted access to the same system queues as the mqweb server address space.

    The mqweb server started task user ID must be granted alternate user access to all users assigned to the MQWebUser role.

    For more information about granting appropriate authorities for users with the MQWebUser role, see Access to IBM MQ resources required to use the MQ Console or REST API.

  3. Optional: Configure TLS for the IBM MQ Console and REST API. For more information, see Configure TLS for the REST API and IBM MQ Console on z/OS.

Parent topic: IBM MQ Console and REST API security