Planning for Managed File Transfer - security considerations
Use this topic as guidance on what security considerations you need on your system to run Managed File Transfer (MFT) on z/OS®.
Security
You need to identify which user IDs are going to be used for MFT configuration and for MFT operation.
You need to identify the files or queues you transfer, and which user IDs are going to be submitting transfer requests to MFT.
When you customize the agents and logger, you specify the group of users that is allowed to run MFT services, or do MFT administration.
Name | Access required |
---|---|
QUEUE.SYSTEM.FTE.EVENT.agent_name | Update |
QUEUE.SYSTEM.FTE.COMMAND.agent_name | Update |
CONTEXT.SYSTEM.FTE.COMMAND.agent_name | Update |
QUEUE.SYSTEM.FTE.STATE.agent_name | Update |
QUEUE.SYSTEM.FTE.DATA.agent_name | Update |
QUEUE.SYSTEM.FTE.REPLY.agent_name | Update |
QUEUE.SYSTEM.FTE.AUTHAGT1.agent_name | Update |
QUEUE.SYSTEM.FTE.AUTHTRN1.agent_name | Update |
QUEUE.SYSTEM.FTE.AUTHOPS1.agent_name | Update |
QUEUE.SYSTEM.FTE.AUTHSCH1.agent_name | Update |
QUEUE.SYSTEM.FTE.AUTHMON1.agent_name | Update |
QUEUE.SYSTEM.FTE.AUTHADM1.agent_name | Update |
Name | Access required |
---|---|
SYSTEM.FTE.AUTHAGT1.agent_name | Update |
SYSTEM.FTE.AUTHTRN1.agent_name | Update |
SYSTEM.FTE.AUTHOPS1.agent_name | Update |
SYSTEM.FTE.AUTHSCH1.agent_name | Update |
SYSTEM.FTE.AUTHMON1.agent_name | Update |
You can use user sandboxing to determine which parts of the file system the user who requests the transfer can access.
To enable user sandboxing, add the userSandboxes=true
statement to the
agent.properties file for the agent that you want to restrict, and add
appropriate values to the
MQ_DATA_PATH/mqft/config/coordination_qmgr_name/agents/agent_name/UserSandboxes.xml
file.
See Working with user sandboxes for further information.
This user ID is configured in UserSandboxes.xml files.
User ID | Access | Include or Exclude | Resource |
---|---|---|---|
Admin* | Read | Include | /home/user/** |
Admin* | Read | Exclude | /home/user/private/** |
Sysprog | Read | Include | /home/user/** |
Admin* | Read | Include | Application.reply.queue |
- If
type=queue
is specified, the resource is either a queue name, orqueue@qmgr
. - If the resource begins with
//
, the resource is a data set; otherwise the resource is a file in z/OS UNIX. - The user ID is the user ID from the MQMD structure, so this might not reflect the user ID that actually puts the message.
- For requests on the local queue manager you can use MQADMIN CONTEXT.* to limit which users can set this value.
- For requests coming in over a remote queue manager, you have to assume that the distributed queue managers have security enabled to prevent unauthorized setting of the user ID in the MQMD structure.
- A user ID of SYSPROG1 on a Linux® machine, is the same user ID SYSPROG1 for the security checking on z/OS.