Grant users resource permissions for Advanced Message Security

Advanced Message Security users require relevant resource permissions.


Advanced Message Security users, that is users that are putting or getting Advanced Message Security protected messages, require:

  • An OMVS segment associated with their user id
  • Permissions for IRR.DIGTCERT.LISTRING or RDATALIB
  • Permissions for ICSF class CSFSERV and CSFKEYS profiles
  • Permission to put to the SYSTEM.PROTECTION.ERROR.QUEUE

The Advanced Message Security task temporarily assumes the identity of its clients; that is, the task acts as a surrogate of the z/OS user ID of users of Advanced Message Security during the processing of IBM MQ messages to queues that are protected by Advanced Message Security.

In order for the task to assume the z/OS identity of a user, the client z/OS user ID must have a defined OMVS segment associated with its user profile.

As an administration aid, RACF provides the ability to define a default OMVS segment that may be associated with RACF user and group profiles. This default is used if the z/OS user ID or group profile does not have an OMVS segment explicitly defined. If we plan to have a large number of users using Advanced Message Security, you might choose to use this default rather than explicitly defining the OMVS segment for each user.

The z/OS: Security Server RACF Security Administrator's Guide contains the detailed procedure for defining default OMVS segments. Review the procedure as outlined in this publication to determine if the definition of default OMVS segments in RACF User and Group profiles is appropriate to your installation.


Procedure

  1. Grant READ permission to the IRR.DIGTCERT.LISTRING profile in the FACILITY class:

    • To grant READ permission to the IRR.DIGTCERT.LISTRING profile in the FACILITY class to all users, issue this command:
      RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(READ)
      
    • To grant READ permission to the IRR.DIGTCERT.LISTRING profile in the FACILITY class on a per user basis, issue this command:
      PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(userid) ACCESS(READ)
      

      where userid is the name of the Advanced Message Security user.

    • Alternatively, use the RDATALIB class to grant access to specific key rings. The RDATALIB permissions take precedence over IRR.DIGTCERT.LISTRING permissions. For example:
      PERMIT user.DRQ.AMS.KEYRING.LST CLASS(RDATALIB) ID(user) ACC(READ)
      

  2. If we are using ICSF-managed certificates and private keys, Advanced Message Security users require access to certain class CSFSERV and CSFKEYS profiles. This access is detailed in the following table:

    Class Profile Permission
    CSFSERV CSFDSG READ
    CSFSERV CSFPKE READ
    CSFSERV CSFPKD READ
    CSFSERV CSFDSV READ
    CSFKEYS ICSF PKDS Label READ
  3. Applications that perform operations on queues with AMS policies defined need access to put messages to SYSTEM.PROTECTION.ERROR.QUEUE. Grant put access to the queue with these commands:
    RDEFINE MQQUEUE hlq.SYSTEM.PROTECTION.ERROR.QUEUE UACC(NONE)
    PERMIT hlq.SYSTEM.PROTECTION.ERROR.QUEUE CLASS(MQQUEUE) ID(userId) ACCESS(UPDATE)
    
    where hlq can be either the queue manager name queue sharing group name, and userID is the application user ID.


What to do next

Create key rings for Advanced Message Security Parent topic: Configure Advanced Message Security for z/OS