Set up security on z/OS

Security considerations specific to z/OS .

Security in IBM MQ for z/OS is controlled using RACF or an equivalent external security manager (ESM).

The following instructions assume that we are using RACF.

• RACF security classes
  RACF classes are used to hold the profiles required for IBM MQ security checking. Many of the member classes have equivalent group classes. We must activate the classes and enable them to accept generic profiles
• RACF profiles
  All RACF profiles used by IBM MQ contain a prefix, which is either the queue manager name or the queue sharing group name. Be careful when we use the percent sign as a wildcard.
• Switch profiles
  To control the security checking performed by IBM MQ, we use switch profiles. A switch profile is a normal RACF profile that has a special meaning to IBM MQ. The access list in switch profiles is not used by IBM MQ.
• Profiles used to control access to IBM MQ resources
  We must define RACF profiles to control access to IBM MQ resources, in addition to the switch profiles that might have been defined. This collection of topics contains information about the RACF profiles for the different types of IBM MQ resource.
• The RESLEVEL security profile
  We can define a special profile in the MQADMIN or MXADMIN class to control the number of user IDs checked for API-resource security. This profile is called the RESLEVEL profile. How this profile affects API-resource security depends on how you access IBM MQ.
• User IDs for security checking on z/OS
  IBM MQ initiates security checks based on user IDs associated with users, terminals, applications, and other resources. This collection of topics lists which user IDs are used for each type of security check.
• z/OS user IDs and Multi-Factor Authentication (MFA)
  IBM Multi-Factor Authentication for z/OS allows z/OS security administrators to enhance SAF authentication, by requiring identified users to use multiple authentication factors (for example, both a password and a cryptographic token) to sign on to a z/OS system. IBM MFA also provides support for time-based one time password generation technologies such as RSA SecureId.
• IBM MQ for z/OS security management
  IBM MQ uses an in-storage table to hold information relating to each user and the access requests made by each user. To manage this table efficiently and to reduce the number of requests made from IBM MQ to the external security manager (ESM), a number of controls are available.
• Security installation tasks for z/OS
  After installing and customizing IBM MQ, authorize started task procedures to RACF, authorize access to various resources, and set up RACF definitions. Optionally, configure the system for TLS.
• Manage channel authentication records in a QSG
  Channel authentication records apply to the queue manager that they are created on, they are not shared throughout the queue sharing group (QSG). Therefore if all the queue managers in the queue sharing group are required to have the same rules, some management needs to be carried out to keep all the rules the consistent.
• Auditing considerations on z/OS
  The normal RACF auditing controls are available for conducting a security audit of a queue manager. IBM MQ does not gather any security statistics of its own. The only statistics are those that can be created by auditing.
• Customizing security
  To change the way IBM MQ security operates, we must do this through the SAF exit (ICHRFR00), or exits in your external security manager.
• Security violation messages on z/OS
  A security violation is indicated by the return code MQRC_NOT_AUTHORIZED in an application program or by a message in the job log.
• What to do if access is allowed or disallowed incorrectly
  In addition to the steps detailed in the z/OS Security Server RACF Security Administrator's Guide, use this checklist if access to a resource appears to be incorrectly controlled.
• Security considerations for the channel initiator on z/OS
  If we are using resource security in a distributed queuing environment, the Channel initiator address space needs appropriate access to various IBM MQ resources. We can use the Integrated Cryptographic Support Facility (ICSF) to seed the password protection algorithm.
• Security in queue manager clusters on z/OS
  Security considerations for clusters are the same for queue managers and channels that are not clustered. The channel initiator needs access to some additional system queues, and some additional commands need appropriate security set.
• Security considerations for using IBM MQ with CICS
  All the CICS versions supported by IBM MQ Version 9.0.0, and later, use the CICS supplied version of the adapter and bridge.
• Security considerations for using IBM MQ with IMS
  Use this topic to plan your security requirements when we use IBM MQ with IMS.
• z/OS Migrating a queue manager to mixed case security
  Follow these steps to migrate a queue manager to mixed case security. You review the level of security product we are using and activate the new IBM MQ external security monitor classes. Run the REFRESH SECURITY command to activate the mixed-case profiles.

Parent topic: Set up security

Related information

• Security scenario: two queue managers on z/OS
• Security scenario: queue sharing group on z/OS