Security considerations for connecting to IMS
Grant the user ID of the IBM® MQ queue manager address space access to the OTMA group.
The IMS bridge is an OTMA client. The connection to IMS operates under the user ID of the IBM MQ queue manager address space. This is normally defined as a member of the started task group. This user ID must be granted access to the OTMA group (unless the /SECURE OTMA setting is NONE).
To do this, define the following profile in the FACILITY class:
IMSXCF.xcfgname.mqxcfmname
Where xcfgname
is the XCF group name and mqxcfmname
is the XCF
member name of IBM MQ.
You must give your IBM MQ queue manager user ID read
access to this profile.
Note:
- If you change the authorities in the FACILITY class, you must issue the RACF® command SETROPTS RACLIST(FACILITY) REFRESH to activate the changes.
- If profile hlq.NO.SUBSYS.SECURITY exists in the MQADMIN class, no user ID is passed to IMS and the connection fails unless the /SECURE OTMA setting is NONE.