+

Search Tips | Advanced Search

Configure resource security on z/OS queue managers

For z/OS queue managers, we can activate or deactivate security for the whole queue manager (the subsystem). If security is active at the subsystem level, we can configure the security of the queue manager's resources, and, if the queue manager belongs to a queue sharing group, we can configure security for the whole of the queue sharing group.


Before starting

Before we can perform this task, we must have already added the z/OS queue manager to IBM MQ Explorer and IBM MQ Explorer must be connected to the queue manager. For more information, see Showing a remote queue manager and Connect or disconnect a queue manager.


About this task

If subsystem security is active, when a user accesses an IBM MQ resource, the queue manager signs the user on to the queue manager. If the user does not access any IBM MQ resources on the queue manager for a predetermined period of time, the user's user ID is "timed out" and is signed out.

In IBM MQ Explorer, we can perform the following tasks:

  1. View the queue manager security settings
  2. Configure the timeout period for user IDs

For more information, see Securing.


Procedure

  • [OPTION 1] View the queue manager security settings

    There can be none, one, or more security switches present that determine the security of the queue manager. The switches can be set on or set off, and the setting of the switches is determined by the presence or absence of switch profiles. In IBM MQ Explorer, we can view but not configure the setting of the security switches.

    1. In the Navigator view, right-click the queue manager, then click Configuration > Security.

    The Security dialog opens. The Security Switches table displays all the security switches that are present, and are relevant to the queue manager. The table shows whether each security switch is set on or set off, and which profile determined this setting.

  • [OPTION 2] Configure the timeout period for user IDs

    If a user is authenticated to access a resource on the queue manager but then doesn't access any of the queue manager's resources for a predetermined length of time, the user's user ID is timed out. IBM MQ can make regular checks to determine whether a user ID has timed out. In IBM MQ Explorer, we can configure the length of the timeout period, and the frequency of checks to determine whether the timeout period has expired.

    1. In the Navigator view, right-click the queue manager, then click Configuration > Security. The Security dialog opens.
    2. In the Security dialog, click Properties.... The Properties dialog opens.
    3. In the Properties dialog, edit the parameters that we want to change.

      For example, if the Security timeout value is 30 and the Security interval value is 10, every 10 minutes IBM MQ checks user IDs and their associated resources to determine whether any have not been used for 30 minutes. If a timed-out user ID is found, that user ID is signed off within the queue manager. If any timed-out resource information associated with non-timed out user IDs is found, that resource information is discarded. If we do not want to time-out user IDs, set the Security interval value to zero. However, if the Interval value is zero, storage occupied by user IDs and their associated resources is not freed until we issue a REFRESH SECURITY or RVERIFY SECURITY command from the command line.

    4. Click OK to close the Properties dialog.

    The changes are shown in the table in the Security dialog.

Parent topic: Create and configure queue managers and objects


Related reference

Last updated: 2020-10-04