Considerations before using the WebSphere MQ agent for z/OS

Starting from 9.5.0, you can control which user ids are allowed to record messages for a queue manager.

Starting from 9.5.0, the WebSphere® MQ agent on z/OS does additional checking to verify the authority of the user to record the transport. When recording a WebSphere MQ transport or recording an operation with wildcard characters in queue names, the Integration Tester user must have access to the queue named COM.GREENHAT.ALLOW.GENERIC.QNAMES. If you are upgrading to the current version of the WebSphere MQ agent on z/OS from a version before 9.5.0, you must follow these steps.

  1. Create queue COM.GREENHAT.ALLOW.GENERIC.QNAMES. You can find an example of the command to create the queue in job RITDEFN.
  2. Give READ access to this queue only to users who are allowed to perform transport recording or recording of queues containing wild card characters in the queue names. You can find examples of the RACF commands to do this in the RITCFGS (single queue manager) and the RITCFGG (queue sharing group) jobs.
  3. Update IBM® DevOps Test Integrations and APIs (Test Integrations and APIs) for all users who perform mirror queue recording, dynamic mirror queue recording, stubbing with fixed queues, or stubbing with dynamic queues on queues residing on a WebSphere MQ queue manager on z/OS.
  4. Implement the 9.5.0 WebSphere MQ agent on z/OS.

If you want to implement the current version of the agent before you upgrade Test Integrations and APIs for all users, another option is to disable the new security features of the agent by specifying AUTHCHK(NO) on the EXEC statement PARM parameter within the JCL used to start the agent. This causes the agent to perform the same as in previous releases. Once all Integration Tester users are upgraded, you can then restart the agent without the AUTHCHK(NO) parameter.