Security settings for MQ exit resources on z/OS
If security is enabled for your queue manager or queue sharing group, you must set up
security for the Rational®
Integration Tester MQ exit resources, and give user IDs access to the Integration
Tester intercept queue.
Note: As of release 9.2, Rational
Integration Tester uses
queues that are named COM.GREENHAT.INTERCEPT_LCK, COM.GREENHAT.INTERCEPT.<QMGR>_LCK,
RIT.DIVERT.RULES_LCK, and RIT.DIVERT.RULES.<QMGR>_LCK. Rational
Integration Tester 9.2
attempts to create these queues automatically when they are first accessed. If you do not allow
Rational
Integration Tester
to create queues, then you must predefine these queues. The jobs within the RIT.PROC dataset contain
sample statements for creating the required security profiles to allow Rational
Integration Tester to create
the queues. The RITDEFN job contains commands for creating the queues manually, if you prefer to
predefine them. Note that the WebSphere® MQ exit on
z/OS itself has not changed since release 9.1.1. Only the jobs within RIT.PROC were updated in
Rational
Integration Tester
release 9.2.
Security settings for a single queue manager
Use the following definitions for the security settings of the various classes
when the queue manager is not part of a queue sharing group. Substitute MQPG with the name of the
queue manager.
Class | Resource | RIT Job Userid | CHINIT | RIT User | Application Userid |
---|---|---|---|---|---|
MQADMIN | MQPG.NAMELIST.COM.GREENHAT.INTERCEPT | ALTER | ALTER | ||
MQPG.NAMELIST.COM.GREENHAT.INTERCEPT_LCK | ALTER | ||||
MQPG.NAMELIST.RIT.DIVERT.RULES | ALTER | ALTER | |||
MQPG.NAMELIST.RIT.DIVERT.RULES_LCK | ALTER | ALTER | |||
MQPG.NAMELIST.RIT.** | ALTER | ||||
MQPG.QUEUE.COM.GREENHAT.INTERCEPT_LCK | ALTER | ALTER | |||
MQPG.QUEUE.RIT.DIVERT.RULES_LCK | ALTER | ALTER | |||
MQPG.CONTEXT.application.queuename | CONTROL | CONTROL | |||
MQPG.CONTEXT.** | ALTER | ||||
MQNLIST | MQPG.COM.GREENHAT.INTERCEPT | ALTER | ALTER | ||
MQPG.COM.GREENHAT.INTERCEPT_LCK | ALTER | ALTER | |||
MQPG.RIT.DIVERT.RULES | ALTER | ALTER | |||
MQPG.RIT.DIVERT.RULES_LCK | ALTER | ALTER | |||
MQPG.RIT.DIVERTRULE.** | ALTER | ||||
MQCMDS | MQPG.ALTER.NAMELIST | ALTER | |||
MQPG.DEFINE.NAMELIST | ALTER | ALTER | |||
MQPG.DELETE.NAMELIST | ALTER | ||||
MQPG.DISPLAY.NAMELIST | READ | ||||
MQPG.DISPLAY.QMGR | READ | ||||
MQPG.DISPLAY.QUEUE | READ | ||||
MQPG.DEFINE.QLOCAL | ALTER | ||||
MQPG.CSQ.** | UPDATE | ||||
MQQUEUE | MQPG.COM.GREENHAT.COMMAND.QUEUE | ALTER | ALTER | ALTER | |
MQPG.CSQ.** | UPDATE | ||||
MQPG.SYSTEM.COMMAND.INPUT | UPDATE | UPDATE | UPDATE | ||
MQPG.SYSTEM.COMMAND.REPLY.MODEL | UPDATE | UPDATE | |||
MQPG.SYSTEM.DEFAULT.MODEL.QUEUE | ALTER | UPDATE | |||
MQPG.AMQ.** | ALTER | ALTER | ALTER | ||
MQPG.COM.GREENHAT.INTERCEPT_LCK | ALTER | UPDATE | |||
MQPG.RIT.DIVERT.RULES_LC | ALTER | UPDATE | |||
MQPG.APPQUEUE | READ | UPDATE | |||
MQCONN | MQPG.BATCH | READ | READ |
Security settings for a Queue Sharing Group
Use the following definitions for the security settings of the various classes when the queue
manager is part of a queue sharing group. Substitute MQPG with either the name of the queue sharing
group or the name of the queue manager depending on whether your site defines MQ security at the
queue manager level or at the group level.
Note: Each queue manager must have permission to access
each of the Rational
Integration Tester name lists
and queues. For example, if the queue sharing group is made up of queue managers named QMGA, QMGB,
and QMGC, Rational
Integration Tester will use
the following name lists and queues:
Object Name | Object Type | QSGDISP |
---|---|---|
COM.GREENHAT.INTERCEPT.QMGA | Name list | GROUP |
COM.GREENHAT.INTERCEPT.QMGB | Name list | GROUP |
COM.GREENHAT.INTERCEPT.QMGC | Name list | GROUP |
RIT.DIVERT.RULES.QMGA | Name list | GROUP |
RIT.DIVERT.RULES.QMGB | Name list | GROUP |
RIT.DIVERT.RULES.QMGC | Name list | GROUP |
COM.GREENHAT.COMMAND.QUEUE.QMGA | Queue | SHARED |
COM.GREENHAT.COMMAND.QUEUE.QMGB | Queue | SHARED |
COM.GREENHAT.COMMAND.QUEUE.QMGC | Queue | SHARED |
COM.GREENHAT.INTERCEPT_LCK | Queue | SHARED |
COM.GREENHAT.INTERCEPT.QMGA_LCK | Queue | SHARED |
COM.GREENHAT.INTERCEPT.QMGB_LCK | Queue | SHARED |
COM.GREENHAT.INTERCEPT.QMGC_LCK | Queue | SHARED |
RIT.DIVERT.RULES.QMGA_LCK | Queue | SHARED |
RIT.DIVERT.RULES.QMGB_LCK | Queue | SHARED |
RIT.DIVERT.RULES.QMGC_LCK | Queue | SHARED |
Define the MQADMIN, MQNLIST, MQCMDS, and MQQUEUE profiles and accesses as listed in the following
table to make them accessible from all the three queue managers:
Class | Resource | RIT Exit Job/Started Task Userid | CHINIT | RIT User | Application Userid |
---|---|---|---|---|---|
MQADMIN | MQPG.NAMELIST.COM.GREENHAT.INTERCEPT.QQQQ where QQQQ is the name of a queue manager. When using RIT with shared queues, an intercept name list is required for each queue manager. | ALTER access to the intercept name list for the QMGR associated with the job | ALTER access to the intercept name lists for all queue managers | ||
MQPG.NAMELIST.COM.GREENHAT.INTERCEPT_LCK | ALTER | ||||
MQPG.NAMELIST.RIT.DIVERT.RULES.QQQQ where QQQQ is the name of a queue manager. When using RIT with shared queues, a divert name list is required for each queue manager. |
ALTER access to the divert name list for the QMGR associated with the job | ALTER access to the divert name lists for all queue managers | |||
MQPG.NAMELIST.RIT.DIVERT.RULES_LCK |
ALTER | ALTER | |||
MQPG.NAMELIST.RIT.** | ALTER | ||||
MQPG.QUEUE.COM.GREENHAT.INTERCEPT_LCK | ALTER | ||||
MQPG.QUEUE.COM.GREENHAT.INTERCEPT.QQQQ_LCK, where QQQQ is the name of a queue manager. When using RIT with shared queues, an intercept locking queue may be required for each queue manager. | ALTER | ||||
MQPG.QUEUE.RIT.DIVERT.RULES.QQQQ_LCK, where QQQQ is the name of a queue manager. When using RIT with shared queues, a divert locking queue is required for each queue manager. | ALTER | ||||
MQPG.CONTEXT.application.queuename | CONTROL | CONTROL | |||
MQPG.CONTEXT.** | ALTER | ||||
MQNLIST | MQNLIST MQPG.COM.GREENHAT.INTERCEPT.QQQQ where QQQQ is the name of a queue manager. When using RIT with shared queues, an intercept name list is required for each queue manager. |
ALTER access to the intercept name list for the QMGR associated with the job | ALTER access to the intercept name lists for all queue managers | ||
MQPG.COM.GREENHAT.INTERCEPT_LCK |
ALTER | ALTER | |||
MQPG.RIT.DIVERT.RULES.QQQQ where QQQQ is the name of a queue manager. When using RIT with shared queues, a divert name list is required for each queue manager. | ALTER access to the divert name list for the QMGR associated with the job | ALTER access to the divert name lists for all queue managers | |||
MQPG.RIT.DIVERT.RULES_LCK |
ALTER | ALTER | |||
MQPG.RIT.DIVERTRULE.** | ALTER | ||||
MQCMDS | MQPG.ALTER.NAMELIST |
ALTER | |||
MQPG.DEFINE.NAMELIST | ALTER | ALTER | |||
MQPG.DELETE.NAMELIST | ALTER | ||||
MQPG.DISPLAY.NAMELIST | READ | ||||
MQPG.DISPLAY.QMGR | READ | ||||
MQPG.DISPLAY.QUEUE | READ | ||||
MQPG.CSQ.** | UPDATE | ||||
MQPG.DEFINE.QLOCAL | ALTER | ||||
MQQUEUE |
MQPG.COM.GREENHAT.COMMAND.QUEUE.QQQQ where QQQQ is the name of a queue manager. When using RIT with shared queues, a command queue is required for each queue manager. | ALTER access to the command queue for the QMGR associated with the job | ALTER | ALTER access to the command queues for all queue managers | |
MQPG.CSQ.** | UPDATE | ||||
MQPG.SYSTEM.COMMAND.INPUT | UPDATE | UPDATE | UPDATE | ||
MQPG.SYSTEM.COMMAND.REPLY.MODEL | UPDATE | UPDATE | |||
MQPG.SYSTEM.DEFAULT.MODEL.QUEUE | ALTER | UPDATE | |||
MQPG.AMQ.** | ALTER | ALTER | ALTER | ||
MQPG.COM.GREENHAT.INTERCEPT_LCK | UPDATE | ||||
MQPG.COM.GREENHAT.INTERCEPT.QQQQ_LCK, where QQQQ is the name of a queue manager. When using RIT with shared queues, an intercept locking queue may be required for each queue manager. | UPDATE | ||||
MQPG.RIT.DIVERT.RULES.QQQQ_LCK, where QQQQ is the name of a queue manager. When using RIT with shared queues, a divert locking queue is required for each queue manager. | UPDATE | ||||
MQPG.APPQUEUE | READ | UPDATE | |||
MQCONN | MQPG.BATCH | READ | READ |