WebSphere MQ security implementation checklist

 

This chapter gives a step-by-step procedure we can use to work out and define the security implementation for each of your WebSphere MQ queue managers. Refer to other sections for details, in particular Profiles used to control access to WebSphere MQ resources.

If you require security checking, follow this checklist to implement it:

1. Activate the RACF MQADMIN class.

2. Do you want security at queue-sharing group level, queue-manager level, or a combination of both?

   Refer to Profiles to control queue-sharing group or queue manager level security.

3. Do we need connection security?

   • Yes: Activate the MQCONN class. Define appropriate connection profiles at either queue manager level or queue-sharing group level in the MQCONN class and permit the appropriate users or groups access to these profiles.
     Note:

     Only users of the MQCONN API request or CICS or IMS address space user IDs need to have access to the corresponding connection profile.

   • No: Define an hlq.NO.CONNECT.CHECKS profile at either queue manager level or queue-sharing group level in the MQADMIN class.

4. Do we need security checking on commands?

   • Yes: Activate the MQCMDS class. Define appropriate command profiles at either queue manager level or queue-sharing group level in the MQCMDS class and permit the appropriate users or groups access to these profiles.

     If you are using a queue-sharing group, you might need to include the user IDs used by the queue manager itself and the channel initiator, see Set up WebSphere MQ resource security.

   • No: Define an hlq.NO.CMD.CHECKS profile for the required queue manager or queue-sharing group in the MQADMIN class.

5. Do we need security on the resources used in commands?

   • Yes: Ensure the MQADMIN class is active. Define appropriate profiles for protecting resources on commands at either queue manager level or queue-sharing group level in the MQADMIN class and permit the appropriate users or groups access to these profiles. Set the CMDUSER parameter in CSQ6SYSP to the default user ID to be used for command security checks.

     If you are using a queue-sharing group, you might need to include the user IDs used by the queue manager itself and the channel initiator, see Set up WebSphere MQ resource security.

   • No: Define an hlq.NO.CMD.RESC.CHECKS profile for the required queue manager or queue-sharing group in the MQADMIN class.

6. Do we need queue security?

   • Yes: Activate the MQQUEUE class. Define appropriate queue profiles for the required queue manager or queue-sharing group in the MQQUEUE class and permit the appropriate users or groups access to these profiles.

   • No: Define an hlq.NO.QUEUE.CHECKS profile for the required queue manager or queue-sharing group in the MQADMIN class.

7. Do we need process security?

   • Yes: Activate the MQPROC class. Define appropriate process profiles at either queue manager or queue-sharing group level and permit the appropriate users or groups access to these profiles.

   • No: Define an hlq.NO.PROCESS.CHECKS profile for the appropriate queue manager or queue-sharing group in the MQADMIN class.

8. Do we need namelist security?

   • Yes: Activate the MQNLIST class. Define appropriate namelist profiles at either queue manager level or queue-sharing group level in the MQNLIST class and permit the appropriate users or groups access to these profiles.

   • No: Define an hlq.NO.NLIST.CHECKS profile for the required queue manager or queue-sharing group in the MQADMIN class.

9. Do any users need to protect the use of the MQOPEN or MQPUT1 options relating to the use of context?

   • Yes: Ensure the MQADMIN class is active. Define hlq.CONTEXT.queuename profiles at the queue, queue manager, or queue-sharing group level in the MQADMIN class and permit the appropriate users or groups access to these profiles.

   • No: Define an hlq.NO.CONTEXT.CHECKS profile for the required queue manager or queue-sharing group in the MQADMIN class.

10. Do we need to protect the use of alternate user IDs?

    • Yes: Ensure the MQADMIN class is active. Define the appropriate hlq.ALTERNATE.USER.alternateuserid profiles for the required queue manager or queue-sharing group and permit the required users or groups access to these profiles.

    • No: Define the profile hlq.NO.ALTERNATE.USER.CHECKS for the required queue manager or queue-sharing group in the MQADMIN class.

11. Do we need to tailor which user IDs are to be used for resource security checks through RESLEVEL?

    • Yes: Ensure the MQADMIN class is active. Define an hlq.RESLEVEL profile at either queue manager level or queue-sharing group level in the MQADMIN class and permit the required users or groups access to the profile.

    • No: Ensure that no generic profiles exist in the MQADMIN class that could apply to hlq.RESLEVEL. Define an hlq.RESLEVEL profile for the required queue manager or queue-sharing group and ensure that no users or groups have access to it.

12. Do we need to 'time out' unused user IDs from WebSphere MQ?

    • Yes: Determine what timeout values you would like to use and issue the MQSC ALTER SECURITY command to change the TIMEOUT and INTERVAL parameters.

    • No: Issue the MQSC ALTER SECURITY command to set the INTERVAL value to zero.
    Note:

    Update the CSQINP1 initialization input data set used by your subsystem so that the MQSC ALTER SECURITY command is issued automatically at every queue manager start up.

13. Do you use distributed queuing?

    • Yes: Determine the appropriate MCAUSER attribute value for each channel, and provide suitable channel security exits.

14. Do you want to use the Secure Sockets Layer (SSL)?

    • Yes: Plan your SSL infrastructure. Install the System SSL feature of z/OS. In RACF, set up your certificate name filters (CNFs), if you are using them, and your digital certificates. Set up your SSL key ring. Ensure that the SSLKEYR queue manager attribute is nonblank and points to your SSL key ring, and ensure that the value of SSLTASKS is at least 2.

    • No: Ensure that SSLKEYR is blank, and SSLTASKS is zero.

    For further details about SSL, see WebSphere MQ Security.

15. Do you use clients?

    • Yes: Determine the appropriate MCAUSER attribute value for each server-connection channel, and provide suitable channel security exits if required.

16. Check your switch settings.

    WebSphere MQ issues messages at queue manager startup that display your security settings. Use these messages to determine whether your switches are set correctly. For an example of these messages, see the WebSphere MQ for z/OS System Administration Guide.