Security concepts in IBM MQ for z/OS
Use this topic to understand the importance of security for IBM MQ, and the implications of not having adequate security settings on the system.
Why we must protect IBM MQ resources
IBM MQ handles the transfer of information that is potentially valuable. Applying security ensures that the resources IBM MQ owns and manages are protected from unauthorized access. Such access might lead to the loss or disclosure of the information.
We should ensure that none of the following resources are accessed or changed by any unauthorized user or process:- Connections to IBM MQ
- IBM MQ objects such as queues, processes, and namelists
- IBM MQ transmission links, that is, IBM MQ channels
- IBM MQ system control commands
- IBM MQ messages
- Context information associated with messages
To provide the necessary security, IBM MQ uses the z/OS system authorization facility (SAF) to route authorization requests to an External Security Manager (ESM), for example Security Server (previously known as RACF ). IBM MQ does no security verification of its own. Where distributed queuing or clients are being used, you might require additional security measures, for which IBM MQ provides channel authentication records, channel exits, the MCAUSER channel attribute, and TLS.
The decision to allow access to an object is made by the ESM and IBM MQ follows that decision. If the ESM cannot make a decision, IBM MQ prevents access to the object.
What happens if we do not protect IBM MQ resources
If we do nothing about security, the most likely effect is that all users can access and change every resource. This includes not only local users, but also those on remote systems using distributed queuing or clients, where the logon security controls might be less strict than is normally the case for z/OS.
To enable security checking we must do the following:- Install and activate an ESM (for example, Security Server).
- Define the MQADMIN class if we are using an ESM other than Security Server.
- Activate the MQADMIN class.
We must consider whether using mixed-case resource names would be beneficial to your enterprise. If you do use mixed-case resource names in your ESM profiles we must define and activate the MXADMIN class.
z/OS Data Set Encryption
Data Set Encryption (DSE) provides the capability to encrypt z/OS data sets, so that the data they contain can only be viewed or modified by user IDs granted the specific permission. This provides encryption of data at rest in the file system, and prevents inadvertent disclosure of sensitive information to users who have a legitimate business need and permissions to manage the data sets themselves.
Prior to Version 9.1.4, IBM MQ for z/OS does not support use of DSE with the active logs, page sets, and shared message data sets (SMDS) that provide the primary persistence mechanisms for IBM MQ messages.
Instead, Advanced Message Security provides an end-to-end encryption solution for IBM MQ messaging, which encompasses the entire IBM MQ network, encryption of data in flight, at rest, and even inside the runtime IBM MQ processes.
Other VSAM and sequential data sets used in an IBM MQ subsystem can be encrypted using DSE. For example:- Bootstrap data set (BSDS)
- Sequential files holding system configuration (MQSC) commands read at startup using CSQINPx DDNAMEs
- IBM MQ archive logs, often used for long term archival of IBM MQ log data for audit purposes.
We can encrypt using DSE by allocating a dataclass that is defined with a data set key label. For more information, see Plan your log archive storage.
From Version 9.1.4, IBM MQ for z/OS supports use of DSE with the active logs and page sets in addition to the support provided in earlier releases.
IBM MQ for z/OS does not support use of DSE for shared message data sets (SMDS).
See the section, confidentiality for data at rest on IBM MQ for z/OS with data set encryption. for more information.
- Security controls and options in IBM MQ for z/OS
We can specify whether security is turned on for the whole IBM MQ subsystem, and whether we want to perform security checks at queue manager or queue sharing group level. We can also control the number of user IDs checked for API-resource security. - Resources we can protect in IBM MQ for z/OS
When a queue manager starts, or when instructed by an operator command, IBM MQ for z/OS determines which resources we want to protect.
Parent topic: IBM MQ for z/OS concepts
Related information
- Security concepts
- Channel authentication records
- Authority to work with IBM MQ objects on z/OS
- Set up security on z/OS
- Comparing link level security and application level security
- Cryptographic security protocols: TLS
- Messages for IBM MQ for z/OS
- Sources from which we can issue MQSC commands on z/OS