Security considerations for the IBM MQ Console and REST API on z/OS

On z/OS®, there are additional options to configure security for the IBM MQ Console and REST API. We can configure an LDAP registry. We can configure TLS for the IBM MQ Console and REST API to enable a user to log in with a certificate. We can configure the System Authorization Facility interface so that a user can log in with a z/OS user ID and password.

Before you begin

The IBM MQ Console and REST API have security features controlling whether a user can issue, display, or alter commands. The commands are then passed to the queue manager, and the queue manager security is then used to control if the user is allowed to issue the command to that specific queue manager.

• If your queue manager has been configured to require that all batch applications provide a valid user ID and password, by setting CHKLOCL(REQUIRED), you must give the address space user ID UPDATE access to the hlq.BATCH profile in the MQCONN class.

  This causes connection authentication to operate in CHKLOCL(OPTIONAL) mode for the mqweb server address space user ID.

  If we have not configured the queue manager to require that all batch applications provide a valid user ID and password, it is sufficient to give the mqweb server address space user ID READ access to the hlq.BATCH profile in the MQCONN class.

  For more information about CHCKLOCL, see Use CHCKLOCL on locally bound applications.

• The mqweb server address space user ID needs authorization to issue certain PCF commands, as well as access to certain queues

  For further information see:
  • IBM MQ Console - required command security profiles
  • System queue security
  • Profiles for context security

• IBM MQ Console and REST API users that are assigned to the MQWebUser role operate under the security context of the principal.

  These user IDs can only perform operations that the user ID is granted to perform on the queue manager, and need to be granted access to the same system queues as the mqweb server address space.

  The mqweb server address space user ID needs to be granted alternate user access to all users assigned to the MQWebUser role. For more information on alternate user security, see Profiles for alternate user security