Application access control

For each IMS system that the IMS bridge connects to, we can define the following RACF profile in the FACILITY class to determine how much security checking is performed for each message passed to the IMS system. 

IMSXCF.xcfgname.imsxcfmname

Where

xcfgname is the XCF group name and imsxcfmname is the XCF member name for IMS. (You need to define a separate profile for each IMS system.)

The access level you allow for the WebSphere MQ queue manager user ID in this profile is returned to WebSphere MQ when the IMS bridge connects to IMS, and indicates the level of security that is required on subsequent transactions. For subsequent transactions, WebSphere MQ requests the appropriate services from RACF and, where the user ID is authorized, passes the message to IMS.

OTMA does not support the IMS /SIGN command; however, WebSphere MQ allows you to set the access checking for each message to enable implementation of the necessary level of control.

The following access level information can be returned:

NONE or NO PROFILE FOUND

This indicates that maximum security is required, that is, authentication is required for every transaction. A check is made to verify that the user ID specified in the UserIdentifier field of the MQMD structure, and the password or passticket in the Authenticator field of the MQIIH structure are known to RACF, and are a valid combination. A Utoken is created with a password or passticket, and passed to IMS; the Utoken is not cached.
Note:
If profile hlq.NO.SUBSYS.SECURITY exists in the MQADMIN class, this level of security overrides whatever is defined in the profile.

READ

This indicates that the same authentication is to be performed as above under the following circumstances:

  • The first time that a specific user ID is encountered

  • When the user ID has been encountered before but the cached Utoken was not created with a password or passticket

WebSphere MQ requests a Utoken if required, and passes it to IMS.

Note:
If a request to reverify security has been actioned, all cached information is lost and a Utoken is requested the first time each user ID is subsequently encountered.

UPDATE

A check is made that the user ID in the UserIdentifier field of the MQMD structure is known to RACF.

A Utoken is built and passed to IMS; the Utoken is cached.

CONTROL/ALTER

These indicate that no security Utokens need to be provided for any user IDs for this IMS system. (You would probably only use this for development and test systems.)

Notes:

  1. This access is defined when WebSphere MQ connects to IMS, and lasts for the duration of the connection. To change the security level, the access to the security profile must be changed and then the bridge stopped and restarted (for example, by stopping and restarting OTMA).

  2. If you change the authorities in the FACILITY class, issue the RACF command SETROPTS RACLIST(FACILITY) REFRESH to activate the changes.

  3. We can use a password or a passticket, but remember that the IMS bridge does not encrypt data. For information about using passtickets, see Using RACF passtickets in the IMS header.

  4. Some of the above might be affected by security settings in IMS, using the /SECURE OTMA command.

  5. Cached Utoken information is held for the duration defined by the INTERVAL and TIMEOUT parameters of the WebSphere MQ ALTER SECURITY command.