API-resource security in IBM MQ for z/OS
Resources are checked when an application opens an object with an MQOPEN or an MQPUT1 call. The access needed to open an object depends on what open options are specified when the queue is opened.
No security checks are performed when opening the queue manager object or when accessing storage class objects.
- Queue
-
Queue security checking controls who is allowed to open which queue, and what options they are allowed to open it with. For example, a user might be allowed to open a queue called PAYROLL.INCREASE.SALARY to browse the messages on the queue (using the MQOO_BROWSE option), but not to remove messages from the queue (using one of the MQOO_INPUT_* options). If you turn checking for queues off, any user can open any queue with any valid open option (that is, any valid MQOO_* option on an MQOPEN or MQPUT1 call).
You can turn queue security checking on or off at either queue manager or queue sharing group level.
- Process
-
Process security checking is carried out when a user opens a process definition object. If you turn checking for processes off, any user can open any process.
You can turn process security checking on or off at either queue manager or queue sharing group level.
- Namelist
-
Namelist security checking is carried out when a user opens a namelist. If you turn checking for namelists off, any user can open any namelist.
You can turn namelist security checking on or off at either queue manager or queue sharing group level.
- Alternate user
-
Alternate user security controls whether one user ID can use the authority of another user ID to open an IBM® MQ object.
For example:- A server program running under user ID PAYSERV retrieves a request message from a queue that was put on the queue by user ID USER1.
- When the server program gets the request message, it processes the request and puts the reply back into the reply-to queue specified with the request message.
- Instead of using its own user ID (PAYSERV) to authorize opening the reply-to queue, the server can specify some other user ID, in this case, USER1. In this example, alternate user security would control whether user ID PAYSERV is allowed to specify user ID USER1 as an alternative user ID when opening the reply-to queue.
The alternative user ID is specified in the
AlternateUserId
field of the object descriptor (MQOD).You can use alternative user IDs on any IBM MQ object, for example, processes or namelists. It does not affect the user ID used by any other resource managers, for example, for CICS® security or for z/OS® data set security.
If alternate user security is not active, any user can use any other user ID as an alternative user ID.
You can turn alternate user security checking on or off at either queue manager or queue sharing group level.
- Context
-
Context is information that is applicable to a particular message and is contained in the message descriptor (MQMD) that is part of the message. The context information comes in two sections:
- Identity section
- The user of the application that first put the message to a queue. It consists of the following fields:
UserIdentifier
AccountingToken
ApplIdentityData
- Origin section
- The application that put the message on the queue where it is currently stored. It consists of
the following fields:
PutApplType
PutApplName
PutDate
PutTime
ApplOriginData
Applications can specify the context data when either an MQPUT or an MQPUT1 call is made. The application might generate the data, the data might be passed on from another message, or the queue manager might generate the data by default. For example, server programs can use context data to check the identity of the requester, that is, did this message come from the correct application? Typically, the
UserIdentifier
field is used to determine the user ID of an alternative user.You use context security to control whether the user can specify any of the context options on any MQOPEN or MQPUT call. For information about the context options, see the MQOPEN options relating to message context. For descriptions of the message descriptor fields relating to context, see MQMD - Message descriptorMQMD - Message descriptor.
If you turn context security checking off, any user can use any of the context options that the queue security allows.
You can turn context security checking on or off at either queue, queue manager or queue sharing group level.