Set up WebSphere MQ data set security

Set up WebSphere MQ data set security

The possible users of WebSphere MQ data sets include:

The queue manager itself.
The channel initiator
WebSphere MQ administrators who need to create WebSphere MQ data sets, run utility programs, and so on.
Application programmers, who need to use the WebSphere MQ-supplied copybooks, include data sets, macros, and so on.
Applications involving one or more of the following:

Batch jobs
TSO users
CICS regions
IMS regions

Data sets CSQOUTX and CSQSNAP
Dynamic queues SYSTEM.CSQXCMD.*

For all these potential users, protect the WebSphere MQ data sets with RACF.
You must also control access to all your 'CSQINP' data sets.

RACF authorization of started-task procedures

Some WebSphere MQ data sets should be for the exclusive use of the queue manager. If you protect your WebSphere MQ data sets using RACF, also authorize the queue manager started-task procedure xxxxMSTR, and the distributed queuing started-task procedure xxxxCHIN, using RACF. To do this, use the STARTED class. Alternatively, we can use the started procedures table (ICHRIN03), but then we need to IPL your z/OS system before the changes take effect.
For more information, see the z/OS Security Server RACF System Programmer's Guide.
The RACF user ID identified must have the required access to the data sets in the started-task procedure. For example, if you associate a queue manager started task procedure called CSQ1MSTR with the RACF user ID QMGRCSQ1, the user ID QMGRCSQ1 must have access to the z/OS resources accessed by the CSQ1 queue manager.
The RACF user IDs associated with the queue manager and channel initiator started task procedures should not have the TRUSTED attribute set.

Authorizing access to data sets

The WebSphere MQ data sets should be protected so that no unauthorized user can run a queue manager instance, or gain access to any queue manager data. To do this, use normal z/OS RACF data set protection. For more information, see the z/OS Security Server RACF Security Administrator's Guide.
Table 63 summarizes the RACF access that the queue manager started task procedure must have to the different data sets.
Table 63. RACF access to data sets associated with a queue manager

RACF access Data sets

READ

thlqual.SCSQAUTH and thlqual.SCSQANLx (where x is the language letter for your national language).
The data sets referred to by CSQINP1, CSQINP2 and CSQXLIB in the queue manager's started task procedure.

UPDATE

All page sets and log and BSDS data sets.

ALTER

All archive data sets.

Table 64 summarizes the RACF access that the started task procedure for distributed queuing must have to the different data sets.
Table 64. RACF access to data sets associated with distributed queuing

RACF access Data sets

READ

thlqual.SCSQAUTH, thlqual.SCSQANLx (where x is the language letter for your national language), and thlqual.SCSQMVR1.
LE library data sets.
The data sets referred to by CSQXLIB and CSQINPX in the distributed queuing started task procedure.

UPDATE

Data sets CSQOUTX and CSQSNAP
Dynamic queues SYSTEM.CSQXCMD.*

RACF access	Data sets
READ	thlqual.SCSQAUTH and thlqual.SCSQANLx (where x is the language letter for your national language). The data sets referred to by CSQINP1, CSQINP2 and CSQXLIB in the queue manager's started task procedure.
UPDATE	All page sets and log and BSDS data sets.
ALTER	All archive data sets.

RACF access	Data sets
READ	thlqual.SCSQAUTH, thlqual.SCSQANLx (where x is the language letter for your national language), and thlqual.SCSQMVR1. LE library data sets. The data sets referred to by CSQXLIB and CSQINPX in the distributed queuing started task procedure.
UPDATE	Data sets CSQOUTX and CSQSNAP Dynamic queues SYSTEM.CSQXCMD.*