An example of defining switches

Different IBM MQ subsystems have different security requirements, which can be implemented using different switch profiles.

Four IBM MQ subsystems have been defined:

  • MQP1 (a production system)
  • MQP2 (a production system)
  • MQD1 (a development system)
  • MQT1 (a test system)

All four queue managers are members of queue sharing group QS01. All IBM MQ RACF classes have been defined and activated. These subsystems have different security requirements:

  • The production systems require full IBM MQ security checking to be active at queue sharing group level on both systems. This is done by specifying the following profile:
    RDEFINE MQADMIN QS01.NO.QMGR.CHECKS
    

    This sets queue sharing group level checking for all the queue managers in the queue sharing group. You do not need to define any other switch profiles for the production queue managers because we want to check everything for these systems.

  • Test queue manager MQT1 also requires full security checking. However, because you might want to change this later, security can be defined at queue manager level so that we can change the security settings for this queue manager without affecting the other members of the queue sharing group. This is done by defining the NO.QSG.CHECKS profile for MQT1 as follows:
    RDEFINE MQADMIN MQT1.NO.QSG.CHECKS
    
  • Development queue manager MQD1 has different security requirements from the rest of the queue sharing group. It requires only connection and queue security to be active. This is done by defining a MQD1.YES.QMGR.CHECKS profile for this queue manager, and then defining the following profiles to switch off security checking for the resources that do not need to be checked:
    RDEFINE MQADMIN MQD1.NO.CMD.CHECKS
    RDEFINE MQADMIN MQD1.NO.CMD.RESC.CHECKS
    RDEFINE MQADMIN MQD1.NO.PROCESS.CHECKS
    RDEFINE MQADMIN MQD1.NO.NLIST.CHECKS
    RDEFINE MQADMIN MQD1.NO.CONTEXT.CHECKS
    RDEFINE MQADMIN MQD1.NO.ALTERNATE.USER.CHECKS
    

When the queue manager is active, we can display the current security settings by issuing the DISPLAY SECURITY MQSC command.

We can also change the switch settings when the queue manager is running by defining or deleting the appropriate switch profile in the MQADMIN class. To make the changes to the switch settings active, we must issue the REFRESH SECURITY command for the MQADMIN class.

See Refreshing queue manager security on z/OS for more details about using the DISPLAY SECURITY and REFRESH SECURITY commands.

Parent topic: Switch profiles