Switches and classes
When you start a queue manager or refresh security, IBM MQ sets switches according to the state of various RACF classes.
When a queue manager is started (or when the MQADMIN or MXADMIN class is refreshed by the IBM MQ REFRESH SECURITY command), IBM MQ first checks the status of RACF and the appropriate class:- The MQADMIN class if we are using uppercase profiles
- The MXADMIN class if we are using mixed case profile.
It sets the subsystem security switch off if any of these conditions is true:
- RACF is inactive or not installed.
- The MQADMIN or MXADMIN class is not defined (these classes are always defined for RACF because they are included in the class descriptor table (CDT)).
- The MQADMIN or MXADMIN class has not been activated.
If both RACF and the MQADMIN or MXADMIN class are active, IBM MQ checks the MQADMIN or MXADMIN class to see whether any of the switch profiles have been defined. It first checks the profiles described in Profiles to control subsystem security. If subsystem security is not required, IBM MQ sets the internal subsystem security switch off, and performs no further checks.
The profiles determine whether the corresponding IBM MQ switch is set on or off.- If the switch is off, that type of security is deactivated.
- If any IBM MQ switch is set on, IBM MQ checks the status of the RACF class associated with the type of security corresponding to the IBM MQ switch. If the class is not installed or not active, the IBM MQ switch is set off. For example, process security checks are not carried out if the MQPROC or MXPROC class has not been activated. The class not being active is equivalent to defining NO.PROCESS.CHECKS profile for every queue manager and queue sharing group that uses this RACF database.
Parent topic: Switch profiles