Set up the Advanced Message Security started task user ID
The Advanced Message Security (AMS) task requires a user ID that allows it to be known as a UNIX System Services (USS) process.
In addition, the users that the task works on behalf of must also have an appropriate definition of a UNIX UID (user ID) and GID (group ID) so these users are known as UNIX System Services users. For more information on defining UNIX System Services UIDs and GIDs, see z/OS: Security Server RACF Security Administrator's Guide.
z/OS: UNIX System Services Planning compares traditional UNIX security to z/OS security. The primary difference between traditional UNIX security and z/OS security is that the Kernel services support two levels of appropriate privileges: UNIX level and z/OS UNIX level.
Depending on your installation's security policy, the Advanced Message Security task can either run with superuser authority (uid(0)), or with its RACF identity permitted to the RACF FACILITY class BPX.DAEMON and BPX.SERVER profiles, as this task must be able to assume the RACF identity of its users.
If the latter method is used, or you have already activated the BPX.DAEMON or BPX.SERVER profiles, the Advanced Message Security task program (thlqual.SCSQAUTH(CSQ0DSRV)) must be located in RACF program-controlled libraries.
Review z/OS: UNIX System Services Planning to ensure that you understand the security differences between traditional UNIX security and z/OS UNIX security. This allows you to administer the Advanced Message Security task according to your installation's security policy for deploying and running privileged UNIX System Services processes.
For reference, the publications useful to this review are:- z/OS: UNIX System Services Planning
- z/OS: Security Server RACF Security Administrator's Guide
Note: Choose the user ID for this task carefully because the Advanced Message Security recipient certificates are loaded into a key ring associated with this user ID. This consideration is discussed in Use certificates on z/OS .
The steps shown here describe how to set up the Advanced Message Security started task user. The steps use RACF commands as examples. If we are using a different security manager, we should use equivalent commands.
Note: The examples in this section assume that we have activated generic profile command processing for the RACF STARTED, FACILITY, and SURROGAT classes and generic profile checking. For more information on how RACF handles generic profiles, see z/OS: Security Server RACF Command Language Reference.Procedure
-
Define the Advanced Message Security started task user to RACF. The examples in this section use the user ID WMQAMSM.
ADDUSER WMQAMSM NAME('AMS user') OMVS (UID(0)) DFLTGRP(group)
Select a default 'group' as appropriate to your installation standards.
Note: If we do not want to grant USS superuser authority (UID(0)), then we must permit the Advanced Message Security user ID to the BPX.DAEMON and BPX.SERVER facility class profiles:PERMIT BPX.DAEMON CLASS(FACILITY) ID(WMQAMSM) ACCESS(READ)
and the Advanced Message Security task program (thlqual.SCSQAUTH(CSQ0DSRV)) must be located in a RACF program-controlled library.
To make your SCSQAUTH library program controlled, we can use the following command:RALTER PROGRAM * ADDMEM('thlqual.SCSQAUTH'//NOPADCHK) -or- RALTER PROGRAM ** ADDMEM('thlqual.SCSQAUTH'//NOPADCHK) SETROPTS WHEN(PROGRAM) REFRESH
We must also enable program control for the national language library (thlqual.SCSQANLx) that is used by the Advanced Message Security task. - Determine if the RACF STARTED class is
active. If it is not, activate the RACF STARTED
class:
SETROPTS CLASSACT(STARTED)
- Define a started class profile for the Advanced Message Security tasks, specifying the user ID you selected or created in step 1:
RDEFINE STARTED qmgrAMSM.* STDATA(USER(WMQAMSM))
where qmgr is the prefix of the started task name. For example, the started task may be named CSQ1AMSM. In this case, you would substitute qmgrAMSM.* with CSQ1AMSM.*.
The AMS started tasks must be named qmgrAMSM.
- Use the SETROPTS
RACF command to refresh the in-storage RACLISTed
STARTED class profiles:
SETROPTS RACLIST(STARTED) REFRESH
- The Advanced Message Security task temporarily assumes the
identity of the host user ID of the requestor during protection processing of IBM MQ messages. Therefore, it is necessary to define profiles in
the SURROGAT class for each user ID that can make requests.
If the RACF SURROGAT class is active, defining a single generic profile allows the Advanced Message Security task to assume the identity of any user. The check is ignored if the SURROGAT class is not active. The SURROGAT profiles needed are described in z/OS: UNIX System Services Planning.
To define profiles in the SURROGAT class:
- Activate the RACF SURROGAT class using
the RACF SETROPTS command:
SETROPTS CLASSACT(SURROGAT)
- Activate generic profile processing for the RACF SURROGAT class:
SETROPTS GENERIC(SURROGAT)
- Activate generic profile command processing for the RACF SURROGAT class:
SETROPTS GENCMD(SURROGAT)
- Define a generic profile in the SURROGAT class:
RDEFINE SURROGAT BPX.SRV.* UACC(NONE)
- Permit the Advanced Message Security user ID to the generic
SURROGAT class profile:
PERMIT BPX.SRV.* CLASS(SURROGAT) ID(WMQAMSM) ACCESS(READ)
Note: We can define more specific profiles if we want to restrict specific users to be processed by the Advanced Message Security task, as described in z/OS: UNIX System Services Planning.For example, a profile called BPX.SRV.MQUSER1 controls whether the AMS task can assume the identity of the user ID MQUSER1.
- Permit the Advanced Message Security user ID to the
BPX.SERVER facility (if not already done in Create the certificates and key rings ):
PERMIT BPX.SERVER CLASS(FACILITY) ID(WMQAMSM) ACCESS(READ)
- Use the SETROPTS
RACF command to refresh the in-storage RACLISTed
started class profiles:
SETROPTS RACLIST(SURROGAT) REFRESH SETROPTS RACLIST(FACILITY) REFRESH
- Activate the RACF SURROGAT class using
the RACF SETROPTS command:
- The Advanced Message Security task uses the facilities provided
by z/OS System SSL services to open SAF-managed key
rings. The underlying System Authorization Facility (SAF) that accesses the contents of the key
rings is controlled by RACF, or an equivalent
security manager.
This service is the IRRSDL00 (R_datalib) callable service. This callable service is protected with the same profiles used to protect the RACF RACDCERT commands that are defined to the RACF FACILITY class. Thus, the Advanced Message Security user ID must be permitted to the profiles using these commands:
- If we have not already done so, define a RACF generic profile to the RACF FACILITY class that protects the RACDCERT command and
the IRRSDL00 callable service:
RDEFINE FACILITY IRR.DIGTCERT.* UACC(NONE) SETROPTS RACLIST(FACILITY) REFRESH
- Grant authority to the started task user ID to the RACF generic
profile:
PERMIT IRR.DIGTCERT.* CLASS(FACILITY) ID(WMQAMSM) ACC(READ)
Alternatively, we can grant READ access to the data service task user's keyring in the RDATALIB class as follows:PERMIT WMQASMD.DRQ.AMS.KEYRING.LST CLASS(RDATALIB) ID(WMQAMSM) ACC(READ)
- If we have not already done so, define a RACF generic profile to the RACF FACILITY class that protects the RACDCERT command and
the IRRSDL00 callable service:
- Configure resource security:
- The Advanced Message Security started task user requires
authority to connect to the queue manager as a batch application.
If your queue manager has connection security enabled, grant the AMS task authority to connect to the queue manager with
this command:
PERMIT hlq.BATCH CLASS(MQCONN) ID(WMQAMSM) ACC(READ)
where hlq can be either the queue manager name queue sharing group name.For further information, see Connection security profiles for batch connections.
- The Advanced Message Security started task user requires
authority to browse the SYSTEM.PROTECTION.POLICY.QUEUE.
If queue security is active on the queue manager, grant the AMS user authority to access the queue with these
commands:
RDEFINE MQQUEUE hlq.SYSTEM.PROTECTION.POLICY.QUEUE UACC(NONE) PERMIT hlq.SYSTEM.PROTECTION.POLICY.QUEUE CLASS(MQQUEUE) ID(WMQAMSM) ACCESS(READ)
where hlq can be either the queue manager name queue sharing group name.If the queue manager is using mixed case profiles, define the profile in the MXQUEUE class instead.
To manage AMS security policies using the CSQ0UTIL utility, administrators need access to put messages to the SYSTEM.PROTECTION.POLICY.QUEUE. This is performed by granting UPDATE access to the profile protecting the queue.
For further information, see Profiles for queue security.
- The Advanced Message Security started task user requires
authority to connect to the queue manager as a batch application.
If your queue manager has connection security enabled, grant the AMS task authority to connect to the queue manager with
this command: