Dead-letter queue security
Undelivered messages can be put on a special queue called the dead-letter queue. If you have sensitive data that could possibly end up on this queue, consider the security implications of this because you do not want unauthorized users to retrieve this data.
Each of the following must be allowed to put messages onto the dead-letter queue:
- Application programs.
- The channel initiator address space and any MCA user IDs. (If the RESLEVEL profile is not present, or is defined so that network-received user IDs are checked, the network-received user ID also needs authority to put messages on the dead-letter queue.)
- CKTI, the WebSphere MQ-supplied CICS task initiator.
- CSQQTRMN, the WebSphere MQ-supplied IMS trigger monitor.
The only application that can retrieve messages from the dead-letter queue should be a 'special' application that processes these messages. However, a problem arises if you give applications RACF UPDATE authority to the dead-letter queue for MQPUTs because they can then automatically retrieve messages from the queue using MQGET calls. We cannot disable the dead-letter queue for get operations because, if you do, not even the 'special' applications could retrieve the messages.
One solution to this problem is set up a two-level access to the dead-letter queue. CKTI, message channel agent transactions or the channel initiator address space, and 'special' applications have direct access; other applications can only access the dead-letter queue through an alias queue. This alias is defined to allow applications to put messages on the dead-letter queue, but not to get messages from it.
This is how it might work:
- Define the real dead-letter queue with attributes PUT(ENABLED) and GET(ENABLED), as shown in the sample thlqual.SCSQPROC(CSQ4INYG).
- Give RACF UPDATE authority for the dead-letter queue to the following user IDs:
- User IDs that the CKTI and the MCAs or channel initiator address space run under.
- The user IDs associated with the 'special' dead-letter queue processing application.
- Define an alias queue that resolves to the real dead-letter queue, but give the alias queue these attributes: PUT(ENABLED) and GET(DISABLED). Give the alias queue a name with the same stem as the dead-letter queue name but append the characters ".PUT" to this stem. For example, if the dead-letter queue name is hlq.DEAD.QUEUE, the alias queue name would be hlq.DEAD.QUEUE.PUT.
- To put a message on the dead-letter queue, an application uses the alias queue. This is what your application must do:
- Retrieve the name of the real dead-letter queue. To do this, it opens the queue manager object using MQOPEN and then issues an MQINQ to get the dead-letter queue name.
- Build the name of the alias queue by appending the characters '.PUT' to this name, in this case, hlq.DEAD.QUEUE.PUT.
- Open the alias queue, hlq.DEAD.QUEUE.PUT.
- Put the message on the real dead-letter queue by issuing an MQPUT against the alias queue.
- Give the user ID associated with the application RACF UPDATE authority to the alias, but no access (authority NONE) to the real dead-letter queue. This means that:
- The application can put messages onto the dead-letter queue using the alias queue.
- The application cannot get messages from the dead-letter queue using the alias queue because the alias queue is disabled for get operations.
The application cannot get any messages from the real dead-letter queue either because it does have the correct RACF authority.
Table 41 summarizes the RACF authority required for the various participants in this solution.
Table 41. RACF authority to the dead-letter queue and its alias Associated user IDs Real dead-letter queue (hlq.DEAD.QUEUE) Alias dead-letter queue (hlq.DEAD.QUEUE.PUT) MCA or channel initiator address space and CKTI UPDATE NONE 'Special' application (for dead-letter queue processing) UPDATE NONE User-written application user IDs NONE UPDATE If you use this method, the application cannot determine the maximum message length (MAXMSGL) of the dead-letter queue. This is because the MAXMSGL attribute cannot be retrieved from an alias queue. Therefore, your application should assume that the maximum message length is 100 MB, the maximum size WebSphere MQ for z/OS supports. The real dead-letter queue should also be defined with a MAXMSGL attribute of 100 MB.