Command security for MQCONN and MQMONITOR resources

Use CICS® command security to control users' ability to issue SPI commands against MQCONN and MQMONITOR resource definitions. For example, you can use it to control which users are allowed to issue CREATE and DISCARD commands against the MQCONN resource definition for the CICS region.

When command security is enabled for a transaction, the external security manager checks that the user ID associated with the transaction is authorized to use the command on the MQCONN or MQMONITOR resource as appropriate. Resource security is not available for MQCONN and MQMONITOR resources.

CICS command security covers the EXEC CICS CREATE MQCONN, DISCARD MQCONN, SET MQCONN, INQUIRE MQCONN, CREATE MQMONITOR, DISCARD MQMONITOR, SET MQMONITOR, and INQUIRE MQMONITOR commands. For an explanation of command security and instructions to set up command security for a CICS region, see Command security. For a listing of the level of authority required for each command, see CICS commands subject to command security checking.

When command security is active, the user ID for the running transaction that issues the EXEC CICS SET MQCONN command to start the connection to IBM® MQ must have the following authority:
  1. The authority to use the EXEC CICS SET MQCONN command; otherwise, the start of the connection will fail with a response of NOTAUTH and a RESP2 of 100.
  2. The authority to use the EXEC CICS EXTRACT EXIT command; otherwise, the start of the connection will fail with a response of INVREQ and a RESP2 of 9. In this case, CICS issues messages DFHXS1111 and DFHMQ0302.
In addition, if MQMONITORs are being used, the user ID under which the MQMONITOR is running (specified in the MONUSERID parameter on the MQMONITOR definition) requires authorization for command security. This applies to MQMONITORs that are used to control the CICS-MQ trigger monitor, the CICS-MQ bridge, or user-written MQMONITOR programs. The MONUSERID must have the following authority:
  1. The authority to use the EXEC CICS SET MQMONITOR command to set the status of the MQMONITOR to STARTED or STOPPED; otherwise, the MQMONITOR task will fail, and in the case of the CICS-MQ trigger monitor, CICS issues message DFHMQ0125.
  2. In the case of the CICS-MQ trigger monitor, the authority to use the EXEC CICS START command with the TRANSID option set to the transaction that is specified in the trigger message; otherwise, CICS issues message DFHMQ0102 and the trigger message will be sent to the dead-letter queue.