IBM MQ for z/OS security management

IBM MQ uses an in-storage table to hold information relating to each user and the access requests made by each user. To manage this table efficiently and to reduce the number of requests made from IBM MQ to the external security manager (ESM), a number of controls are available.

These controls are available through both the operations and control panels and IBM MQ commands.

• User ID reverification
  If the RACF definition of a user who is using IBM MQ resources has been changed, for example by connecting the user to a new group, we can tell the queue manager to sign this user on again the next time it tries to access an IBM MQ resource. We can do this by using the IBM MQ command RVERIFY SECURITY.
• User ID timeouts
  We can make IBM MQ sign a user off a queue manager after a period of inactivity.
• Refreshing queue manager security on z/OS
  IBM MQ for z/OS caches RACF data to improve performance. When we change certain security classes, we must refresh this cached information. Refresh security infrequently, for performance reasons. We can also choose to refresh only TLS security information.
• Display security status
  To display the status of the security switches, and other security controls, issue the MQSC DISPLAY SECURITY command.

Parent topic: Set up security on z/OS