Plan for security
This collection of topics explains what you need to consider when planning security in an IBM MQ environment.
We can use IBM MQ for a wide variety of applications on a range of platforms. The security requirements are likely to be different for each application. For some, security will be a critical consideration.
IBM MQ provides a range of link-level security services, including support for Transport Layer Security (TLS).
You must consider certain aspects of security when planning to install IBM MQ:
- On Multiplatforms, if you ignore these aspects and do nothing, we cannot use IBM MQ.
- On z/OSĀ®, the effect of ignoring these aspects is that your IBM MQ resources are unprotected. That is, all users can access and change all IBM MQ resources.
Authority to administer IBM MQ
IBM MQ administrators need authority to:For more information, see:
- Issue commands to administer IBM MQ
- Use the IBM MQ Explorer
- Use IBM i administrative panels and commands.
- Use the operations and control panels on z/OS
- Use the IBM MQ utility program, CSQUTIL, on z/OS
- Access the queue manager data sets on z/OS
- Authority to administer IBM MQ on UNIX, Linux, and Windows
- Authority to administer IBM MQ on IBM i
- Authority to administer IBM MQ on z/OS
Authority to work with IBM MQ objects
Applications can access the following IBM MQ objects by issuing MQI calls:Applications can also use Programmable Command Format (PCF) commands to access these IBM MQ objects, and to access channels and authentication information objects as well. These objects can be protected by IBM MQ so that the user IDs associated with the applications need authority to access them.
- Queue managers
- Queues
- Processes
- Namelists
- Topics
For more information, see Authorization for applications to use IBM MQ.
Channel security
The user IDs associated with message channel agents (MCAs) need authority to access various IBM MQ resources. For example, an MCA must be able to connect to a queue manager. If it is a sending MCA, it must be able to open the transmission queue for the channel. If it is a receiving MCA, it must be able to open destination queues. The user IDs associated with applications which need to administer channels, channel initiators, and listeners need authority to use the relevant PCF commands. However, most applications do not need such access.
For more information, see Channel authorization.
Additional considerations
You need to consider the following aspects of security only if you are using certain IBM MQ function or base product extensions: