Profiles for context security
IBM MQ uses profiles for controlling access to the context information specific to a particular message. The context is contained within the message descriptor (MQMD).
Use profiles for context security
If context security is active, we must:- Define a profile in the MQADMIN class if using uppercase profiles.
- Define profile in the MXADMIN class if using mixed case profiles.
The profile is called hlq.CONTEXT.queuename, where:
- hlq
- Can be either qmgr-name (queue manager name) or qsg-name (queue sharing group name).
- queuename
- Can be either the full name of the queue we want to define the context profile for, or a generic profile.
A profile prefixed by the queue manager name, and with ** specified as the queue name, allows control for context security on all queues belonging to that queue manager. This can be overridden on an individual queue by defining a queue level profile for context on that queue.
A profile prefixed by the queue sharing group name, and with ** specified as the queue name, allows control for context on all queues belonging to the queue managers within the queue sharing group. This can be overridden on an individual queue manager by defining a queue manager level profile for context on that queue manager, by specifying a profile prefixed by the queue manager name. It can also be overridden on an individual queue by specifying a profile suffixed with the queue name.
If your queue manager is a member of a queue sharing group and we are using both queue manager and queue sharing group level security, IBM MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue sharing group name.
We must give the necessary groups or user IDs access to this profile. The following table shows the access level required, depending on the specification of the context options when the queue is opened.
MQOPEN or MQPUT1 option | RACF access level required to hlq.CONTEXT.queuename |
---|---|
MQPMO_NO_CONTEXT | No context security check |
MQPMO_DEFAULT_CONTEXT | No context security check |
MQOO_SAVE_ALL_CONTEXT | No context security check |
MQOO_PASS_IDENTITY_CONTEXT MQPMO_PASS_IDENTITY_CONTEXT | READ |
MQOO_PASS_ALL_CONTEXT MQPMO_PASS_ALL_CONTEXT | READ |
MQOO_SET_IDENTITY_CONTEXT MQPMO_SET_IDENTITY_CONTEXT | UPDATE |
MQOO_SET_ALL_CONTEXT MQPMO_SET_ALL_CONTEXT | CONTROL |
MQOO_OUTPUT or MQPUT1 (USAGE(XMITQ)) | CONTROL |
MQSUB option | |
MQSO_SET_IDENTITY_CONTEXT ( Note 2 ) | UPDATE |
- The user IDs used for distributed queuing require CONTROL access to hlq.CONTEXT.queuename to put messages on the destination queue. See User IDs used by the channel initiator for information about the user IDs used.
- If on the MQSUB request, with MQSO_CREATE or MQSO_ALTER options specified, you want to set any of the identity context fields in the MQSD structure, we need to specify the MQSO_SET_IDENTITY_CONTEXT option. You require also, the appropriate authority to the context profile for the destination queue.
If you put commands on the system-command input queue, use the default context put message option to associate the correct user ID with the command.
For example, the IBM MQ-supplied utility program CSQUTIL can be used to offload and reload messages in queues. When offloaded messages are restored to a queue, the CSQUTIL utility uses the MQOO_SET_ALL_CONTEXT option to return the messages to their original state. In addition to the queue security required by this open option, context authority is also required. For example, if this authority is required by the group BACKGRP on queue manager MQS1, this would be defined by:RDEFINE MQADMIN MQS1.CONTEXT.** UACC(NONE) PERMIT MQS1.CONTEXT.** CLASS(MQADMIN) ID(BACKGRP) ACCESS(CONTROL)Depending on the options specified, and the types of security performed, other types of security checks might also occur when the queue is opened. These include queue security (see Profiles for queue security ), and alternate user security (see Profiles for alternate user security ). For a summary table showing the open options and the security checks required when queue, context and alternate user security are all active, see Table 1.
System queue context security
Many of the system queues are accessed by the ancillary parts of IBM MQ, for example the channel initiator address space, and the mqweb server used by the IBM MQ Console and REST API.
The user IDs under which these run under must be given RACF access to these queues, as shown in Table 2.
SYSTEM queue | Channel initiator for distributed queuing | mqweb server |
---|---|---|
SYSTEM.ADMIN.COMMAND.QUEUE | - | CONTROL |
SYSTEM.BROKER.CONTROL.QUEUE | CONTROL | - |
SYSTEM.BROKER.INTER.BROKER.COMMUNICATIONS | CONTROL | - |
SYSTEM.CHANNEL.SYNCQ | CONTROL | - |
SYSTEM.CLUSTER.COMMAND.QUEUE | CONTROL | - |
SYSTEM.CLUSTER.TRANSMIT.QUEUE | CONTROL | - |