Security for queues in use with the IBM MQ Bridge to blockchain

Considerations for setting up security for z/OS® queues that are defined for use with the IBM MQ Bridge to blockchain.

The following examples show RACF profiles that illustrate one way of securing the queues for the IBM MQ Bridge to blockchain.

RESLEVEL

The IBM MQ Bridge to blockchain connects through a SVRCONN channel to the CHINIT. We assume that specific security checking is required on the effective z/OS user ID used by the bridge user. This means we need to ensure that user IDs are checked for CHINIT tasks. Authority on the RESLEVEL profile determines whether just one user ID (the channel user ID) is checked, or two user IDs (both the channel user ID AND the CHINIT user ID) are checked. For example:

This code grants READ authority to CHINIT in the RESLEVEL profile. Therefore only the channel user IDs will be checked.
```
PERMIT RESLEVEL CLASS(MQADMIN) ID(CHINIT) ACCESS(READ)
```
This code grants CHINIT no authority in the RESLEVEL profile. Therefore two user IDs are checked, and additional permissions must be granted to the CHINIT user ID.
```
PERMIT RESLEVEL CLASS(MQADMIN) ID(CHINIT) ACCESS(NONE)
```

In the next section, the lines of code that grant additional permissions are highlighted.

For more information, see Client MQI requests.

Queue resource authorities

Lock down the identity queue and permit the bridge ID to use it for input and output

RDEFINE MQQUEUE SYSTEM.BLOCKCHAIN.IDENTITY.QUEUE UACC(NONE)
PERMIT SYSTEM.BLOCKCHAIN.IDENTITY.QUEUE CLASS(MQQUEUE) ID(MQBBCART) ACCESS(UPDATE)
PERMIT SYSTEM.BLOCKCHAIN.IDENTITY.QUEUE CLASS(MQQUEUE) ID(CHINIT) ACCESS(UPDATE)

Bridge ID can open queue for input

DEF QL(CARTAX.BLOCKCHAIN.INPUT.QUEUE) LIKE(SYSTEM.BLOCKCHAIN.INPUT.QUEUE)
RDEFINE MQQUEUE CARTAX.BLOCKCHAIN.INPUT.QUEUE UACC(NONE)
PERMIT CARTAX.BLOCKCHAIN.INPUT.QUEUE CLASS(MQQUEUE) ID(MQBBCART) ACCESS(UPDATE)
PERMIT APPL1.BLOCKCHAIN.INPUT.QUEUE CLASS(MQQUEUE) ID(CHINIT) ACCESS(UPDATE)

Application IDs in APPCART group can open request queue for output

PERMIT CARTAX.BLOCKCHAIN.INPUT.QUEUE CLASS(MQQUEUE) ID(APPCART) ACCESS(UPDATE)

Profile to cover application reply queues

RDEFINE MQQUEUE CARTAX.APP.REPLY.** UACC(NONE)

Application IDs in APPCART group can open reply queue for input

RDEFINE MQADMIN CONTEXT.CARTAX.APP.REPLY.** UACC(NONE)
PERMIT CARTAX.APP.REPLY.** CLASS(MQQUEUE) ID(APPCART) ACCESS(UPDATE)

Bridge ID can open reply queue for output and put with set_identity_context

PERMIT CARTAX.APP.REPLY.** CLASS(MQQUEUE) ID(MQBBCART) ACCESS(UPDATE)
PERMIT CONTEXT.CARTAX.APP.REPLY.** CLASS(MQADMIN) ID(MQBBCART) ACCESS(UPDATE)
PERMIT CARTAX.APP.REPLY.** CLASS(MQQUEUE) ID(CHINIT) ACCESS(UPDATE)
PERMIT CONTEXT.CARTAX.APP.REPLY.** CLASS(MQADMIN) ID(CHINIT) ACCESS(UPDATE)