An example of defining switches
Different IBM MQ subsystems have different security requirements, which can be implemented using different switch profiles.
Four IBM MQ subsystems have been defined:- MQP1 (a production system)
- MQP2 (a production system)
- MQD1 (a development system)
- MQT1 (a test system)
All four queue managers are members of queue sharing group QS01. All IBM MQ RACF classes have been defined and activated. These subsystems have different security requirements:
- The production systems require full IBM MQ security
checking to be active at queue sharing group level on both systems. This is done by specifying
the following profile:
RDEFINE MQADMIN QS01.NO.QMGR.CHECKS
This sets queue sharing group level checking for all the queue managers in the queue sharing group. You do not need to define any other switch profiles for the production queue managers because we want to check everything for these systems.
- Test queue manager MQT1 also requires full security checking. However, because you might want to
change this later, security can be defined at queue manager level so that we can change the
security settings for this queue manager without affecting the other members of the queue sharing group. This is done by defining the NO.QSG.CHECKS profile for MQT1 as follows:
RDEFINE MQADMIN MQT1.NO.QSG.CHECKS
- Development queue manager MQD1 has different security requirements from the rest of the
queue sharing group. It requires only connection and queue security to be active. This is done by
defining a MQD1.YES.QMGR.CHECKS profile for this queue manager, and then defining
the following profiles to switch off security checking for the resources that do not need to be
checked:
RDEFINE MQADMIN MQD1.NO.CMD.CHECKS RDEFINE MQADMIN MQD1.NO.CMD.RESC.CHECKS RDEFINE MQADMIN MQD1.NO.PROCESS.CHECKS RDEFINE MQADMIN MQD1.NO.NLIST.CHECKS RDEFINE MQADMIN MQD1.NO.CONTEXT.CHECKS RDEFINE MQADMIN MQD1.NO.ALTERNATE.USER.CHECKS
When the queue manager is active, we can display the current security settings by issuing the DISPLAY SECURITY MQSC command.
We can also change the switch settings when the queue manager is running by defining or deleting the appropriate switch profile in the MQADMIN class. To make the changes to the switch settings active, we must issue the REFRESH SECURITY command for the MQADMIN class.
See Refreshing queue manager security on z/OS for more details about using the DISPLAY SECURITY and REFRESH SECURITY commands.
Parent topic: Switch profiles