[IBM i]

Setting up security on IBM i

Security on IBM® i is implemented using the IBM MQ Object Authority Manager (OAM) and IBM i object level security.

Security considerations that must be made when determining access authority to IBM MQ objects.

You need to consider the following points when setting up authorities to the users in your enterprise:
  1. Grant and revoke authorities to the IBM MQ for IBM i commands using the IBM i GRTOBJAUT and RVKOBJAUT commands.

    In the QMQM library, certain noncommand (*cmd) objects are set to have *PUBLIC authority to *USE. Do not change the authorities of these objects or use an authorization list to provide authority. Any incorrect authority might compromise IBM MQ functionality.

  2. During installation of IBM MQ for IBM i, the following special user profiles are created:
    QMQM
    Is used primarily for internal product-only functions. However, it can be used to run trusted applications using MQCNO_FASTPATH_BINDINGS. See Connecting to a queue manager using the MQCONNX call.
    QMQMADM
    Is used as a group profile for administrators of IBM MQ. The group profile gives access to CL commands and IBM MQ resources.

    When using SBMJOB to submit programs that call IBM MQ commands, USER must not be set explicitly to QMQMADM. Instead, set USER to QMQM or another user profile that has QMQMADM specified as a group.

  3. If you are sending channel commands to remote queue managers, ensure that your user profile is a member of the group QMQMADM on the target system. For a list of PCF and MQSC channel commands, see IBM MQ for IBM i CL commands.
  4. The group set associated with a user is cached when the group authorizations are computed by the OAM.

    Any changes made to a user's group memberships after the group set has been cached are not recognized until you restart the queue manager or execute RFRMQMAUT to refresh security.

  5. Limit the number of users who have authority to work with commands that are particularly sensitive. These commands include:
    • Create Message Queue Manager ( CRTMQM )
    • Delete Message Queue Manager ( DLTMQM )
    • Start Message Queue Manager ( STRMQM )
    • End Message Queue Manager ( ENDMQM )
    • Start Command Server ( STRMQMCSVR )
    • End Command Server ( ENDMQMCSVR )
  6. Channel definitions contain a security exit program specification. Channel creation and modification requires special considerations. Details of security exits are given in Security exit overview.
  7. The channel exit and trigger monitor programs can be substituted. The security of such replacements is the responsibility of the programmer.