Security checking on IMS
Each WebSphere MQ message that passes across the bridge contains the following security information:
- A user ID contained in the UserIdentifier field of the MQMD structure
- The security scope contained in the SecurityScope field of the MQIIH structure (if the MQIIH structure is present)
- A Utoken (unless the WebSphere MQ sub system has CONTROL or ALTER access to the relevant
IMSXCF.xcfgname.imsxcfmname profile)
The security checks made depend on the setting by the IMS command /SECURE OTMA, as follows:
- /SECURE OTMA NONE
- No security checks are made for the transaction.
- /SECURE OTMA CHECK
- The UserIdentifier field of the MQMD structure is passed to IMS for transaction or command authority checking.
An ACEE (Accessor Environment Element) is built in the IMS control region.
- /SECURE OTMA FULL
- The UserIdentifier field of the MQMD structure is passed to IMS for transaction or command authority checking.
An ACEE is built in the IMS dependent region as well as the IMS control region.
- /SECURE OTMA PROFILE
- The UserIdentifier field of the MQMD structure is passed to IMS for transaction or command authority checking
The SecurityScope field in the MQIIH structure is used to determine whether to build an ACEE in the IMS dependent region as well as the control region.
Notes:
- If you change the authorities in the TIMS or CIMS class, or the associated group classes GIMS or DIMS, issue the following IMS commands to activate the changes:
- /MODIFY PREPARE RACF
- /MODIFY COMMIT
- If you do not use /SECURE OTMA PROFILE, any value specified in the SecurityScope field of the MQIIH structure is ignored.