Task 11: Implement your ESM security controls

 

You must now consider how you are going to implement any security controls for WebSphere MQ.

If you use RACF as your external security manager, see Set up security, which describes how to implement these security controls.

If you are using queue-sharing groups, ensure that the user IDs associated with the queue manager, channel initiator, and the utilities (as specified in step 6) have authority to establish a RRSAF connection to each DB2 subsystem with which you want to establish a connection. The RACF profile to which the user ID requires READ access is DB2ssid.RRSAF in the DSNR resource class.

If you are using the channel initiator, also do the following:

  1. If your subsystem has connection security active, define a connection security profile ssid.CHIN to your external security manager (see Connection security profiles for the channel initiator for information about this).

  2. If you are using the Secure Sockets Layer (SSL) or a sockets interface, ensure that the user ID under whose authority the channel initiator is running is configured to use OpenEdition, as described in the OS/390 OpenEdition Planning manual.

  3. If you are using SSL, ensure that the user ID under whose authority the channel initiator is running is configured to access the key ring specified in the SSLKEYR parameter of the ALTER QMGR command.

  4. Ensure that the user ID associated with the channel initiator has READ access to the BPX.WLMSERVER profile in the FACILITY class.

Those queue managers that will access the Coupling Facility list structures require the appropriate security access. The RACF class is FACILITY. The queue manager user ID requires ALTER access to the IXLSTR.structure-name profile.

If you are using RACF, provided you use the RACF STARTED class, you do not need to IPL your system (see RACF authorization of started-task procedures).