+

Search Tips | Advanced Search

Authority required by the mqweb server started task user ID

On z/OS, the mqweb server started task user ID requires certain authorities to issue PCF commands and access system resources.

The mqweb server started task user ID needs:

  • A z/OS UNIX user identifier (UID) to be able to use z/OS UNIX System Services.
  • Access to the hlq.SCSQAUTH and hlq.SCSQANL* data sets in the IBM MQ installation.
  • Read access to the IBM MQ installation files in z/OS UNIX System Services.
  • Read and write access to the Liberty user directory created by the crtmqweb script.
  • Authority to connect to the queue manager. Grant the mqweb server started task user ID READ access to the hlq.BATCH profile in the MQCONN class.
  • Authority to issue IBM MQ commands and access certain queues. These details are described in IBM MQ Console - required command security profiles, System queue security, and Profiles for context security.
  • Authority to subscribe to the SYSTEM.FTE topic, in order to use the REST API for MFT. Grant the mqweb server started task user ID ALTER access to the hlq.SUBSCRIBE.SYSTEM.FTE profile in the MXTOPIC class.
  • If we are are configuring a SAF registry, access to various security profiles. See Configure a SAF registry for the IBM MQ Console and REST API for more information.


Connection authentication

If your queue manager has been configured to require that all batch applications provide a valid user ID and password, by setting CHKLOCL(REQUIRED), we must give the mqweb server started task user ID UPDATE access to the hlq.BATCH profile in the MQCONN class.

This authority causes connection authentication to operate in CHKLOCL(OPTIONAL) mode for the mqweb server started task user ID.

If we have not configured the queue manager to require that all batch applications provide a valid user ID and password, it is sufficient to give the user ID that starts the mqweb server task READ access to the hlq.BATCH profile in the MQCONN class.

For more information about CHCKLOCL, see Use CHCKLOCL on locally bound applications.

Parent topic: Security considerations for the IBM MQ Console and REST API on z/OS

Last updated: 2020-10-04