Security profiles and accesses required

Table 67 through Table 72 show the security profiles that are required to enable the scenario to work:

Table 67. Security profiles for the example scenario
Class Profile User ID Access
MQCONN QM1.CHIN MOVER1 READ
MQADMIN QM1.RESLEVEL BATCHID CICSAD1 MOVER1 NONE
MQADMIN QM1.CONTEXT.** MOVER1 CONTROL
MQQUEUE QM1.SYSTEM.COMMAND.INPUT MOVER1 UPDATE
MQQUEUE QM1.SYSTEM.CHANNEL.SYNCQ MOVER1 UPDATE
MQQUEUE QM1.SYSTEM.CHANNEL.INITQ MOVER1 UPDATE
MQQUEUE QM1.SYSTEM.COMMAND.REPLY.MODEL MOVER1 UPDATE
MQQUEUE QM1.SYSTEM.ADMIN.CHANNEL.EVENT MOVER1 UPDATE
MQQUEUE QM1.QM1.TO.QM2.TCP MOVER1 ALTER
MQQUEUE QM1.QM1.TO.QM2.LU62 MOVER1 ALTER
MQQUEUE QM1.QM1.TO.QM2.SSL MOVER1 ALTER
MQCONN QM2.CHIN MOVER2 READ
MQADMIN QM2.RESLEVEL MOVER2 NONE
MQADMIN QM2.CONTEXT.** MOVER2 CONTROL
MQQUEUE QM2.SYSTEM.COMMAND.INPUT MOVER2 UPDATE
MQQUEUE QM2.SYSTEM.CHANNEL.SYNCQ MOVER2 UPDATE
MQQUEUE QM2.SYSTEM.CHANNEL.INITQ MOVER2 UPDATE
MQQUEUE QM2.SYSTEM.COMMAND.REPLY.MODEL MOVER2 UPDATE
MQQUEUE QM2.SYSTEM.ADMIN.CHANNEL.EVENT MOVER2 UPDATE
MQQUEUE QM2.DLQ MOVER2 UPDATE

 

Security profiles required for a batch application

The batch application runs under user ID BATCHID on QM1. It connects to queue manager QM1 and puts messages to the following queues:

It uses the MQPMO_SET_ALL_CONTEXT and MQPMO_ALTERNATE_USER_AUTHORITY options. The alternate user ID found in the UserIdentifier field of the message descriptor (MQMD) is MSGUSR.

The following profiles are required on queue manager QM1:

Table 68. Sample security profiles for the batch application on queue manager QM1
Class Profile User ID Access
MQCONN QM1.BATCH BATCHID READ
MQADMIN QM1.CONTEXT.** BATCHID CONTROL
MQQUEUE QM1.LQ1 BATCHID UPDATE
MQQUEUE QM1.RQA BATCHID UPDATE
MQQUEUE QM1.RQB BATCHID UPDATE
MQQUEUE QM1.RQC BATCHID UPDATE

The following profiles are required on queue manager QM2 for messages put to queue RQA on queue manager QM1 (for the TCP/IP channel not using SSL):

Table 69. Sample security profiles for queue manager QM2 using TCP/IP and not SSL
Class Profile User ID Access
MQADMIN QM2.ALTERNATE.USER.MSGUSR MCATCP MOVER2 UPDATE
MQADMIN QM2.CONTEXT.** MCATCP MOVER2 CONTROL
MQQUEUE QM2.LQA MOVER2 MSGUSR UPDATE
MQQUEUE QM2.DLQ MOVER2 MSGUSR UPDATE
Notes:

  1. The user ID passed in the MQMD of the message is used as the user ID for the MQPUT1 on queue manager QM2 because the receiver channel was defined with PUTAUT(CTX) and MCAUSER(MCATCP).

  2. The MCAUSER field of the receiver channel definition is set to MCATCP; this user ID is used in addition to the channel initiator address space user ID for the checks carried out against the alternate user ID and context profile.

  3. The MOVER2 user ID and the UserIdentifier in the message descriptor (MQMD) are used for the resource checks against the queue.

  4. The MOVER2 and MSGUSR user IDs both need access to the dead-letter queue so that messages that cannot be put to the destination queue can be sent there.

  5. Two user IDs are checked on all three checks performed because RESLEVEL is set to NONE.

The following profiles are required on queue manager QM2 for messages put to queue RQB on queue manager QM1 (for the LU 6.2 channel):

Table 70. Sample security profiles for queue manager QM2 using LU 6.2
Class Profile User ID Access
MQADMIN QM2.ALTERNATE.USER.MSGUSR MCALU62 MOVER1 UPDATE
MQADMIN QM2.CONTEXT.** MCALU62 MOVER1 CONTROL
MQQUEUE QM2.LQB MOVER1 MSGUSR UPDATE
MQQUEUE QM2.DLQ MOVER1 MSGUSR UPDATE
Notes:

  1. The user ID passed in the MQMD of the message is used as the user ID for the MQPUT1 on queue manager QM2 because the receiver channel was defined with PUTAUT(CTX) and MCAUSER(MCALU62).

  2. The MCA user ID is set to the value of the MCAUSER field of the receiver channel definition (MCALU62).

  3. Because LU 6.2 supports security on the communications system for the channel, the user ID received from the network is used as the channel user ID (MOVER1).

  4. Two user IDs are checked on all three checks performed because RESLEVEL is set to NONE.

  5. MCALU62 and MOVER1 are used for the checks performed against the alternate user ID and Context profiles, and MSGUSR and MOVER1 are used for the checks against the queue profile.

  6. The MOVER1 and MSGUSR user IDs both need access to the dead-letter queue so that messages that cannot be put to the destination queue can be sent there.

The following profiles are required on queue manager QM2 for messages put to queue RQC on queue manager QM1 (for the TCP/IP channel using SSL):

Table 71. Sample security profiles for queue manager QM2 using TCP/IP and SSL
Class Profile User ID Access
MQADMIN QM2.ALTERNATE.USER.MSGUSR MCASSL CERTID UPDATE
MQADMIN QM2.CONTEXT.** MCASSL CERTID CONTROL
MQQUEUE QM2.LQC CERTID MSGUSR UPDATE
MQQUEUE QM2.DLQ CERTID

MSGUSR
UPDATE
Notes:

  1. The user ID passed in the MQMD of the message is used as the user ID for the MQPUT1 on queue manager QM2 because the receiver channel was defined with PUTAUT(CTX) and MCAUSER(MCASSL).

  2. The MCA user ID is set to the value of the MCAUSER field of the receiver channel definition (MCASSL).

  3. Because the certificate flowed by the channel from QM1 as part of the SSL handshake might be installed on QM2's system, or might match a certificate name filter on QM2's system, the user ID found during that matching is used as the channel user ID (CERTID).

  4. Two user IDs are checked on all three checks performed because RESLEVEL is set to NONE.

  5. MCASSL and CERTID are used for the checks performed against the alternate user ID and Context profiles, and MSGUSR and MOVER1 are used for the checks against the queue profile.

  6. The CERTID and MSGUSR user IDs both need access to the dead-letter queue so that messages that cannot be put to the destination queue can be sent there.

 

Security profiles required for a CICS application

The CICS application uses a CICS address space user ID of CICSAD1 and a CICS task user ID of CICSTX1. The security profiles required on queue manager QM1 are different to those required for the batch application. The profiles required on queue manager QM2 are the same as for the batch application.

The following profiles are required on queue manager QM1:

Table 72. Sample security profiles for the CICS application on queue manager QM1
Class Profile User ID Access
MQCONN QM1.CICS CICSAD1 READ
MQADMIN QM1.CONTEXT.** CICSAD1 CICSTX1 CONTROL
MQQUEUE QM1.LQ1 CICSAD1 CICSTX1 UPDATE
MQQUEUE QM1.RQA CICSAD1 CICSTX1 UPDATE
MQQUEUE QM1.RQB CICSAD1 CICSTX1 UPDATE