Why we need to protect WebSphere MQ resources
Because WebSphere MQ handles the transfer of information that is potentially valuable, it needs the safeguard of a security system. This is to ensure that the resources WebSphere MQ owns and manages are protected from unauthorized access that might lead to the loss or disclosure of the information. It is essential that none of the following are accessed or changed by any unauthorized user or process:
- Connections to WebSphere MQ
- WebSphere MQ objects such as queues, processes, and namelists
- WebSphere MQ transmission links
- WebSphere MQ system control commands
- WebSphere MQ messages
- Context information associated with messages
To provide the necessary security, WebSphere MQ uses the z/OS system authorization facility (SAF) to route authorization requests to an External Security Manager (ESM), for example Security Server (previously known as RACF). WebSphere MQ does no security verification of its own. Where distributed queuing or clients are being used, you might require additional security measures, for which WebSphere MQ provides channel exits, the MCAUSER channel attribute, and the Secure Sockets Layer (SSL).
The decision to allow access to an object is made by the ESM and WebSphere MQ follows that decision. If the ESM cannot make a decision, WebSphere MQ prevents access to the object.