Refreshing queue manager security

When a queue is opened for the first time (or for the first time since a security refresh) WebSphere MQ performs a RACF check to obtain the user's access rights and places this information in the cache. The cached data includes user IDs and resources on which security checking has been performed. If the queue is opened again by the same user the presence of the cached data means WebSphere MQ does not have to issue RACF checks, which improves performance. The action of a security refresh is to discard any cached security information and so force WebSphere MQ to make a new check against RACF. Whenever you add, change or delete a RACF resource profile that is held in the MQADMIN, MQPROC, MQQUEUE, or MQNLIST class, tell the queue managers that use this class to refresh the security information that they hold. To do this, issue the following commands:

• The RACF SETROPTS RACLIST(classname) REFRESH command to refresh at the RACF level.

• The WebSphere MQ REFRESH SECURITY command to refresh the security information held by the queue manager (described in the WebSphere MQ Script (MQSC) Command Reference manual). This command needs to be issued by each queue manager that accesses the profiles that have changed. If you have a queue-sharing group, we can use the command scope attribute to direct the command to all the queue managers in the group.

If you are using generic profiles in any of the WebSphere MQ classes, also issue normal RACF refresh commands if you change, add, or delete any generic profiles. For example, SETROPTS GENERIC(classname) REFRESH.

However, because WebSphere MQ utilizes the RACF dataspace, WebSphere MQ can use RACF profiles as soon as they become available. If a RACF resource profile is added, changed or deleted and the resource to which it applies has not yet been accessed (so no information is cached), WebSphere MQ will use the new RACF information without a security refresh being carried out.

If RACF auditing is turned on, (for example, by using the RACF RALTER AUDIT(access-attempt (audit_access_level)) command), no caching takes place, and therefore WebSphere MQ refers directly to the RACF dataspace for every check. Changes are therefore picked up immediately and REFRESH SECURITY is not necessary to access the changes. We can confirm whether RACF auditing is on by using the RACF RLIST command. For example, you could issue the command

RLIST MQQUEUE (qmgr.SYSTEM.COMMAND.INPUT) GEN

and receive the results

CLASS      NAME                                
-----      ----                                
MQQUEUE    QP*.SYSTEM.COMMAND.*.** (G)         
    AUDITING                
    --------                
    FAILURES(READ)    

This would indicate that auditing is set on. For more information, refer to the z/OS Security Server RACF Auditor's Guide and the z/OS Security Server RACF Command Language Reference.

Figure 29 summarizes the situations in which security information is cached and in which cached information is used.

Figure 29. Logic flow for WebSphere MQ security caching

If you change your security settings by adding or deleting switch profiles in the MQADMIN class, we need to use the REFRESH SECURITY(*) or REFRESH SECURITY(MQADMIN) command to pick up these changes dynamically. This means we can activate new security types, or deactivate them without having to restart the queue manager.

For performance reasons, these are the only classes affected by the REFRESH SECURITY command. You do not need to use REFRESH SECURITY if you change a profile in either the MQCONN or MQCMDS classes.

Note:

A refresh of MQADMIN is not required if you change a RESLEVEL security profile.

For performance reasons, use REFRESH SECURITY as infrequently as possible, ideally at off-peak times. We can minimize the number of security refreshes by connecting users to RACF groups that are already in the access list for WebSphere MQ profiles, rather than putting individual users in the access lists. In this way, you change the user rather than the resource profile. We can also RVERIFY SECURITY the appropriate user instead of refreshing security.

As an example of REFRESH SECURITY, suppose you define the new profiles to protect access to queues starting with INSURANCE.LIFE on queue manager PRMQ. You use these RACF commands:

RDEFINE MQQUEUE PRMQ.INSURANCE.LIFE.** UACC(NONE)
PERMIT PRMQ.INSURANCE.LIFE.** ID(LIFEGRP) ACCESS(UPDATE)

You must issue the following command to tell RACF to refresh the security information that it holds, for example:

SETROPTS RACLIST(MQQUEUE) REFRESH

Because these profiles are generic, tell RACF to refresh the generic profiles for MQQUEUE. For example:

SETROPTS GENERIC(MQQUEUE) REFRESH

Then use this command to tell queue manager PRMQ that the queue profiles have changed:

REFRESH SECURITY(MQQUEUE)