Set up WebSphere MQ data set security

The possible users of WebSphere MQ data sets include:

For all these potential users, protect the WebSphere MQ data sets with RACF.

You must also control access to all your 'CSQINP' data sets.

 

RACF authorization of started-task procedures

Some WebSphere MQ data sets should be for the exclusive use of the queue manager. If you protect your WebSphere MQ data sets using RACF, also authorize the queue manager started-task procedure xxxxMSTR, and the distributed queuing started-task procedure xxxxCHIN, using RACF. To do this, use the STARTED class. Alternatively, we can use the started procedures table (ICHRIN03), but then we need to IPL your z/OS system before the changes take effect.

For more information, see the z/OS Security Server RACF System Programmer's Guide.

The RACF user ID identified must have the required access to the data sets in the started-task procedure. For example, if you associate a queue manager started task procedure called CSQ1MSTR with the RACF user ID QMGRCSQ1, the user ID QMGRCSQ1 must have access to the z/OS resources accessed by the CSQ1 queue manager.

The RACF user IDs associated with the queue manager and channel initiator started task procedures should not have the TRUSTED attribute set.

 

Authorizing access to data sets

The WebSphere MQ data sets should be protected so that no unauthorized user can run a queue manager instance, or gain access to any queue manager data. To do this, use normal z/OS RACF data set protection. For more information, see the z/OS Security Server RACF Security Administrator's Guide.

Table 63 summarizes the RACF access that the queue manager started task procedure must have to the different data sets.

Table 63. RACF access to data sets associated with a queue manager
RACF access Data sets
READ

  • thlqual.SCSQAUTH and thlqual.SCSQANLx (where x is the language letter for your national language).

  • The data sets referred to by CSQINP1, CSQINP2 and CSQXLIB in the queue manager's started task procedure.

UPDATE

ALTER

  • All archive data sets.

Table 64 summarizes the RACF access that the started task procedure for distributed queuing must have to the different data sets.

Table 64. RACF access to data sets associated with distributed queuing
RACF access Data sets
READ

  • thlqual.SCSQAUTH, thlqual.SCSQANLx (where x is the language letter for your national language), and thlqual.SCSQMVR1.

  • LE library data sets.

  • The data sets referred to by CSQXLIB and CSQINPX in the distributed queuing started task procedure.

UPDATE

  • Data sets CSQOUTX and CSQSNAP

  • Dynamic queues SYSTEM.CSQXCMD.*