Configure resource security on z/OS queue managers
For z/OSĀ® queue managers, we can activate or deactivate security for the whole queue manager (the subsystem). If security is active at the subsystem level, we can configure the security of the queue manager's resources, and, if the queue manager belongs to a queue sharing group, we can configure security for the whole of the queue sharing group.
About this task
If subsystem security is active, when a user accesses an IBM MQ resource, the queue manager signs the user on to the queue manager. If the user does not access any IBM MQ resources on the queue manager for a predetermined period of time, the user's user ID is "timed out" and is signed out.
In IBM MQ Explorer, we can perform the following tasks:
For more information, see Securing in the IBM MQ online product documentation.
Viewing the queue manager's security settings
There can be none, one, or more security switches present that determine the security of the queue manager. The switches can be set on or set off, and the setting of the switches is determined by the presence or absence of switch profiles. In IBM MQ Explorer, we can view but not configure the setting of the security switches.
Before you begin
Before we can perform this task, you must have already added the z/OS queue manager to IBM MQ Explorer and IBM MQ Explorer must be connected to the queue manager. For more information, see Showing a remote queue manager and Connecting or disconnecting a queue manager.About this task
To view the queue manager's current security settings:Procedure
In the Navigator view, right-click the queue manager, then click Configuration > Security.Results
The Security dialog opens. The Security Switches table displays all the security switches that are present, and are relevant to the queue manager. The table shows whether each security switch is set on or set off, and which profile determined this setting.
Configure the timeout period of user IDs
If a user is authenticated to access a resource on the queue manager but then doesn't access any of the queue manager's resources for a predetermined length of time, the user's user ID is timed out. IBM MQ can make regular checks to determine whether a user ID has timed out. In IBM MQ Explorer, we can configure the length of the timeout period, and the frequency of checks to determine whether the timeout period has expired.
Before you begin
Before we can perform this task, you must have already added the z/OS queue manager to IBM MQ Explorer and IBM MQ Explorer must be connected to the queue manager. For more information, see Showing a remote queue manager and Connecting or disconnecting a queue manager.About this task
To configure the timeout period and frequency of checks:Procedure
- In the Navigator view, right-click the queue manager, then click Configuration > Security. The Security dialog opens.
- In the Security dialog, click Properties.... The Properties dialog opens.
- In the Properties dialog, edit the parameters that you want to change.
For example, if the Security timeout value is 30 and the Security interval value is 10, every 10 minutes IBM MQ checks user IDs and their associated resources to determine whether any have not been used for 30 minutes. If a timed-out user ID is found, that user ID is signed off within the queue manager. If any timed-out resource information associated with non-timed out user IDs is found, that resource information is discarded. If we do not want to time-out user IDs, set the Security interval value to zero. However, if the Interval value is zero, storage occupied by user IDs and their associated resources is not freed until you issue a REFRESH SECURITY or RVERIFY SECURITY command from the command line.
- Click OK to close the Properties dialog.
Results
The changes are shown in the table in the Security dialog.