[z/OS]

Planning for Managed File Transfer - security considerations

Use this topic as guidance on what security considerations you need on your system to run Managed File Transfer (MFT) on z/OS®.

Security

You need to identify which user IDs are going to be used for MFT configuration and for MFT operation.

You need to identify the files or queues you transfer, and which user IDs are going to be submitting transfer requests to MFT.

When you customize the agents and logger, you specify the group of users that is allowed to run MFT services, or do MFT administration.

You should set up this group before you start customizing MFT. As MFT uses IBM® MQ queues, if you have security enabled in the queue manager, MFT requires access to the following resources:
Table 1. MQADMIN resource class
Name Access required
QUEUE.SYSTEM.FTE.EVENT.agent_name Update
QUEUE.SYSTEM.FTE.COMMAND.agent_name Update
CONTEXT.SYSTEM.FTE.COMMAND.agent_name Update
QUEUE.SYSTEM.FTE.STATE.agent_name Update
QUEUE.SYSTEM.FTE.DATA.agent_name Update
QUEUE.SYSTEM.FTE.REPLY.agent_name Update
QUEUE.SYSTEM.FTE.AUTHAGT1.agent_name Update
QUEUE.SYSTEM.FTE.AUTHTRN1.agent_name Update
QUEUE.SYSTEM.FTE.AUTHOPS1.agent_name Update
QUEUE.SYSTEM.FTE.AUTHSCH1.agent_name Update
QUEUE.SYSTEM.FTE.AUTHMON1.agent_name Update
QUEUE.SYSTEM.FTE.AUTHADM1.agent_name Update
Table 2. MQQUEUE resource class
Name Access required
SYSTEM.FTE.AUTHAGT1.agent_name Update
SYSTEM.FTE.AUTHTRN1.agent_name Update
SYSTEM.FTE.AUTHOPS1.agent_name Update
SYSTEM.FTE.AUTHSCH1.agent_name Update
SYSTEM.FTE.AUTHMON1.agent_name Update

You can use user sandboxing to determine which parts of the file system the user who requests the transfer can access.

To enable user sandboxing, add the userSandboxes=true statement to the agent.properties file for the agent that you want to restrict, and add appropriate values to the MQ_DATA_PATH/mqft/config/coordination_qmgr_name/agents/agent_name/UserSandboxes.xml file.

See Working with user sandboxes for further information.

This user ID is configured in UserSandboxes.xml files.

This XML file has information like user ID, or user ID* and a list of resource that can be used (included), or cannot be used (excluded). You need to define specific user IDs that can access which resources: for example:
Table 3. Example user ID together with access to specific resources
User ID Access Include or Exclude Resource
Admin* Read Include /home/user/**
Admin* Read Exclude /home/user/private/**
Sysprog Read Include /home/user/**
Admin* Read Include Application.reply.queue
Notes:
  1. If type=queue is specified, the resource is either a queue name, or queue@qmgr.
  2. If the resource begins with //, the resource is a data set; otherwise the resource is a file in z/OS UNIX.
  3. The user ID is the user ID from the MQMD structure, so this might not reflect the user ID that actually puts the message.
  4. For requests on the local queue manager you can use MQADMIN CONTEXT.* to limit which users can set this value.
  5. For requests coming in over a remote queue manager, you have to assume that the distributed queue managers have security enabled to prevent unauthorized setting of the user ID in the MQMD structure.
  6. A user ID of SYSPROG1 on a Linux® machine, is the same user ID SYSPROG1 for the security checking on z/OS.