Using CHCKLOCL on locally bound applications
CHCKLOCL only applies to connections that are made through BATCH connections and does not apply to connections made from CICS® or IMS. Connections made through the channel initiator are controlled by CHCKCLNT.
Overview
If you want to configure your z/OS® queue manager to mandate user ID and password checking for some, but not all, of your locally bound applications, you need to do some additional configuration.
The reason for this is that once CHCKLOCL (REQUIRED) is configured, legacy batch applications that use the MQCONN API call can no longer connect to the queue manager.
For z/OS only, a more granular mechanism based on the connection security of an address space can be used to downgrade the global CHCKLOCL(REQUIRED) configuration to CHCKLOCL(OPTIONAL) for specifically defined user IDs. The mechanism used, is described in the following text, together with an example.
In order to allow more granularity on CHCKLOCL ( REQUIRED) than just EVERYONE, you modify CHCKLOCL in the same manner as you modify the access level of the user ID associated with the connecting address space to the hlq.batch connection profiles in the MQCONN class.
If the address space user ID only has READ access, which is the minimum you require to be able to connect at all, the CHCKLOCL configuration applies as written.
If the address space user ID has UPDATE access (or above) then the CHCKLOCL configuration operates in OPTIONAL mode. That is, you do not have to provide a user ID and password, but if you do, the user ID and password must be a valid pair.
Connection security already configured for your z/OS queue manager
- Start with CHCKLOCL (OPTIONAL) as your configuration. This means that any user ID and passwords that are supplied are checked for validity, but not mandated.
- List all the users that have access to the connection security profiles by issuing the command:
RLIST MQCONN MQ23.BATCH AUTHUSER
This command displays, for example:CLASS NAME ----- ---- MQCONN MQ23.BATCH USER ACCESS ACCESS COUNT ---- ------ ------ ----- JOHNDOE READ 000009 JDOE1 READ 000003 WASUSER READ 000000
- For each user ID listed as having READ access, change the access to
UPDATE:- PERMIT MQ23.BATCH CLASS(MQCONN) ID(JOHNDOE) ACCESS(UPDATE)
- Update the IBM® MQ configuration to
CHCKLOCL (REQUIRED).
The combination of UPDATE access to MQ23.BATCH and the current setting means that you are using CHCKLOCL (OPTIONAL).
- Now, apply the CHCKLOCL (REQUIRED) behavior to one
specific user ID, for example
WASUSER
, so that all the connections coming from that region must provide a user ID and password.Do this by reversing the change you made previously, by issuing the command:PERMIT MQ23.BATCH CLASS(MQCONN) ID(WASUSER) ACCESS(READ)
Connection security is not configured for your z/OS queue manager
- Create connection profiles for hlq.BATCH in the MQCONN class, by issuing
the command:
RDEFINE MQCONN MQ23.BATCH UACC(NONE)
- Authorize all user IDs that create batch connections to the queue manager, so that they have
UPDATE access to this profile. Doing this bypasses the CHCKLOCL (
REQUIRED) requirement for the user ID and password at the time of connection.
Do this by issuing the command:
These include user IDs:PERMIT MQ23.BATCH CLASS(MQCONN)ID(JOHNDOE) ACCESS(UPDATE)
- Used for CSQUTIL, ISPF panels, and other locally bound tools.
- Associated with batch like connections to the queue manager. Consider for example, Advanced Message Security, IBM Integration Bus, Db2® stored procedures, USS and TSO users, and Java applications
- Delete the switch profile for the queue manager by issuing the command:
hlq.NO.CONNECT.CHECKS
- Now, apply the CHCKLOCL (REQUIRED) behavior to one
specific user ID, for example
WASUSER
, so that all the connections coming from that region must provide a user ID and password.Do this by reversing the change you made previously, by issuing the command:PERMIT MQ23.BATCH CLASS(MQCONN) ID(WASUSER) ACCESS(READ)