Security profiles and accesses required
Table 67 through Table 72 show the security profiles that are required to enable the scenario to work:
Table 67. Security profiles for the example scenario Class Profile User ID Access MQCONN QM1.CHIN MOVER1 READ MQADMIN QM1.RESLEVEL BATCHID CICSAD1 MOVER1 NONE MQADMIN QM1.CONTEXT.** MOVER1 CONTROL MQQUEUE QM1.SYSTEM.COMMAND.INPUT MOVER1 UPDATE MQQUEUE QM1.SYSTEM.CHANNEL.SYNCQ MOVER1 UPDATE MQQUEUE QM1.SYSTEM.CHANNEL.INITQ MOVER1 UPDATE MQQUEUE QM1.SYSTEM.COMMAND.REPLY.MODEL MOVER1 UPDATE MQQUEUE QM1.SYSTEM.ADMIN.CHANNEL.EVENT MOVER1 UPDATE MQQUEUE QM1.QM1.TO.QM2.TCP MOVER1 ALTER MQQUEUE QM1.QM1.TO.QM2.LU62 MOVER1 ALTER MQQUEUE QM1.QM1.TO.QM2.SSL MOVER1 ALTER MQCONN QM2.CHIN MOVER2 READ MQADMIN QM2.RESLEVEL MOVER2 NONE MQADMIN QM2.CONTEXT.** MOVER2 CONTROL MQQUEUE QM2.SYSTEM.COMMAND.INPUT MOVER2 UPDATE MQQUEUE QM2.SYSTEM.CHANNEL.SYNCQ MOVER2 UPDATE MQQUEUE QM2.SYSTEM.CHANNEL.INITQ MOVER2 UPDATE MQQUEUE QM2.SYSTEM.COMMAND.REPLY.MODEL MOVER2 UPDATE MQQUEUE QM2.SYSTEM.ADMIN.CHANNEL.EVENT MOVER2 UPDATE MQQUEUE QM2.DLQ MOVER2 UPDATE
Security profiles required for a batch application
The batch application runs under user ID BATCHID on QM1. It connects to queue manager QM1 and puts messages to the following queues:
- LQ1
- RQA
- RQB
- RQC
It uses the MQPMO_SET_ALL_CONTEXT and MQPMO_ALTERNATE_USER_AUTHORITY options. The alternate user ID found in the UserIdentifier field of the message descriptor (MQMD) is MSGUSR.
The following profiles are required on queue manager QM1:
Table 68. Sample security profiles for the batch application on queue manager QM1 Class Profile User ID Access MQCONN QM1.BATCH BATCHID READ MQADMIN QM1.CONTEXT.** BATCHID CONTROL MQQUEUE QM1.LQ1 BATCHID UPDATE MQQUEUE QM1.RQA BATCHID UPDATE MQQUEUE QM1.RQB BATCHID UPDATE MQQUEUE QM1.RQC BATCHID UPDATE The following profiles are required on queue manager QM2 for messages put to queue RQA on queue manager QM1 (for the TCP/IP channel not using SSL):
Table 69. Sample security profiles for queue manager QM2 using TCP/IP and not SSL Class Profile User ID Access MQADMIN QM2.ALTERNATE.USER.MSGUSR MCATCP MOVER2 UPDATE MQADMIN QM2.CONTEXT.** MCATCP MOVER2 CONTROL MQQUEUE QM2.LQA MOVER2 MSGUSR UPDATE MQQUEUE QM2.DLQ MOVER2 MSGUSR UPDATE Notes:
- The user ID passed in the MQMD of the message is used as the user ID for the MQPUT1 on queue manager QM2 because the receiver channel was defined with PUTAUT(CTX) and MCAUSER(MCATCP).
- The MCAUSER field of the receiver channel definition is set to MCATCP; this user ID is used in addition to the channel initiator address space user ID for the checks carried out against the alternate user ID and context profile.
- The MOVER2 user ID and the UserIdentifier in the message descriptor (MQMD) are used for the resource checks against the queue.
- The MOVER2 and MSGUSR user IDs both need access to the dead-letter queue so that messages that cannot be put to the destination queue can be sent there.
- Two user IDs are checked on all three checks performed because RESLEVEL is set to NONE.
The following profiles are required on queue manager QM2 for messages put to queue RQB on queue manager QM1 (for the LU 6.2 channel):
Table 70. Sample security profiles for queue manager QM2 using LU 6.2 Class Profile User ID Access MQADMIN QM2.ALTERNATE.USER.MSGUSR MCALU62 MOVER1 UPDATE MQADMIN QM2.CONTEXT.** MCALU62 MOVER1 CONTROL MQQUEUE QM2.LQB MOVER1 MSGUSR UPDATE MQQUEUE QM2.DLQ MOVER1 MSGUSR UPDATE Notes:
- The user ID passed in the MQMD of the message is used as the user ID for the MQPUT1 on queue manager QM2 because the receiver channel was defined with PUTAUT(CTX) and MCAUSER(MCALU62).
- The MCA user ID is set to the value of the MCAUSER field of the receiver channel definition (MCALU62).
- Because LU 6.2 supports security on the communications system for the channel, the user ID received from the network is used as the channel user ID (MOVER1).
- Two user IDs are checked on all three checks performed because RESLEVEL is set to NONE.
- MCALU62 and MOVER1 are used for the checks performed against the alternate user ID and Context profiles, and MSGUSR and MOVER1 are used for the checks against the queue profile.
- The MOVER1 and MSGUSR user IDs both need access to the dead-letter queue so that messages that cannot be put to the destination queue can be sent there.
The following profiles are required on queue manager QM2 for messages put to queue RQC on queue manager QM1 (for the TCP/IP channel using SSL):
Table 71. Sample security profiles for queue manager QM2 using TCP/IP and SSL Class Profile User ID Access MQADMIN QM2.ALTERNATE.USER.MSGUSR MCASSL CERTID UPDATE MQADMIN QM2.CONTEXT.** MCASSL CERTID CONTROL MQQUEUE QM2.LQC CERTID MSGUSR UPDATE MQQUEUE QM2.DLQ CERTID
MSGUSRUPDATE Notes:
- The user ID passed in the MQMD of the message is used as the user ID for the MQPUT1 on queue manager QM2 because the receiver channel was defined with PUTAUT(CTX) and MCAUSER(MCASSL).
- The MCA user ID is set to the value of the MCAUSER field of the receiver channel definition (MCASSL).
- Because the certificate flowed by the channel from QM1 as part of the SSL handshake might be installed on QM2's system, or might match a certificate name filter on QM2's system, the user ID found during that matching is used as the channel user ID (CERTID).
- Two user IDs are checked on all three checks performed because RESLEVEL is set to NONE.
- MCASSL and CERTID are used for the checks performed against the alternate user ID and Context profiles, and MSGUSR and MOVER1 are used for the checks against the queue profile.
- The CERTID and MSGUSR user IDs both need access to the dead-letter queue so that messages that cannot be put to the destination queue can be sent there.
Security profiles required for a CICS application
The CICS application uses a CICS address space user ID of CICSAD1 and a CICS task user ID of CICSTX1. The security profiles required on queue manager QM1 are different to those required for the batch application. The profiles required on queue manager QM2 are the same as for the batch application.
The following profiles are required on queue manager QM1:
Table 72. Sample security profiles for the CICS application on queue manager QM1 Class Profile User ID Access MQCONN QM1.CICS CICSAD1 READ MQADMIN QM1.CONTEXT.** CICSAD1 CICSTX1 CONTROL MQQUEUE QM1.LQ1 CICSAD1 CICSTX1 UPDATE MQQUEUE QM1.RQA CICSAD1 CICSTX1 UPDATE MQQUEUE QM1.RQB CICSAD1 CICSTX1 UPDATE