Security settings for MQ exit resources on z/OS

If security is enabled for your queue manager or queue sharing group, you must set up security for the Rational® Integration Tester MQ exit resources, and give user IDs access to the Integration Tester intercept queue.
Note: As of release 9.2, Rational Integration Tester uses queues that are named COM.GREENHAT.INTERCEPT_LCK, COM.GREENHAT.INTERCEPT.<QMGR>_LCK, RIT.DIVERT.RULES_LCK, and RIT.DIVERT.RULES.<QMGR>_LCK. Rational Integration Tester 9.2 attempts to create these queues automatically when they are first accessed. If you do not allow Rational Integration Tester to create queues, then you must predefine these queues. The jobs within the RIT.PROC dataset contain sample statements for creating the required security profiles to allow Rational Integration Tester to create the queues. The RITDEFN job contains commands for creating the queues manually, if you prefer to predefine them. Note that the WebSphere® MQ exit on z/OS itself has not changed since release 9.1.1. Only the jobs within RIT.PROC were updated in Rational Integration Tester release 9.2.

Security settings for a single queue manager

Use the following definitions for the security settings of the various classes when the queue manager is not part of a queue sharing group. Substitute MQPG with the name of the queue manager.
Class Resource RIT Job Userid CHINIT RIT User Application Userid
MQADMIN MQPG.NAMELIST.COM.GREENHAT.INTERCEPT ALTER   ALTER  
MQPG.NAMELIST.COM.GREENHAT.INTERCEPT_LCK     ALTER  
MQPG.NAMELIST.RIT.DIVERT.RULES ALTER   ALTER  
MQPG.NAMELIST.RIT.DIVERT.RULES_LCK ALTER   ALTER  
MQPG.NAMELIST.RIT.**     ALTER  
MQPG.QUEUE.COM.GREENHAT.INTERCEPT_LCK ALTER   ALTER  
MQPG.QUEUE.RIT.DIVERT.RULES_LCK ALTER   ALTER  
MQPG.CONTEXT.application.queuename     CONTROL CONTROL
MQPG.CONTEXT.**   ALTER    
MQNLIST MQPG.COM.GREENHAT.INTERCEPT ALTER   ALTER  
MQPG.COM.GREENHAT.INTERCEPT_LCK ALTER   ALTER  
MQPG.RIT.DIVERT.RULES ALTER   ALTER  
MQPG.RIT.DIVERT.RULES_LCK ALTER   ALTER  
MQPG.RIT.DIVERTRULE.** ALTER      
MQCMDS MQPG.ALTER.NAMELIST     ALTER  
MQPG.DEFINE.NAMELIST ALTER   ALTER  
MQPG.DELETE.NAMELIST     ALTER  
MQPG.DISPLAY.NAMELIST     READ  
MQPG.DISPLAY.QMGR     READ  
MQPG.DISPLAY.QUEUE     READ  
MQPG.DEFINE.QLOCAL     ALTER  
MQPG.CSQ.** UPDATE      
MQQUEUE MQPG.COM.GREENHAT.COMMAND.QUEUE ALTER ALTER ALTER  
MQPG.CSQ.** UPDATE      
MQPG.SYSTEM.COMMAND.INPUT UPDATE UPDATE UPDATE  
MQPG.SYSTEM.COMMAND.REPLY.MODEL UPDATE UPDATE    
MQPG.SYSTEM.DEFAULT.MODEL.QUEUE   ALTER UPDATE  
MQPG.AMQ.** ALTER ALTER ALTER  
MQPG.COM.GREENHAT.INTERCEPT_LCK ALTER   UPDATE  
MQPG.RIT.DIVERT.RULES_LC ALTER   UPDATE  
MQPG.APPQUEUE READ   UPDATE  
MQCONN MQPG.BATCH READ READ    

Security settings for a Queue Sharing Group

Use the following definitions for the security settings of the various classes when the queue manager is part of a queue sharing group. Substitute MQPG with either the name of the queue sharing group or the name of the queue manager depending on whether your site defines MQ security at the queue manager level or at the group level.
Note: Each queue manager must have permission to access each of the Rational Integration Tester name lists and queues. For example, if the queue sharing group is made up of queue managers named QMGA, QMGB, and QMGC, Rational Integration Tester will use the following name lists and queues:
Object Name Object Type QSGDISP
COM.GREENHAT.INTERCEPT.QMGA Name list GROUP
COM.GREENHAT.INTERCEPT.QMGB Name list GROUP
COM.GREENHAT.INTERCEPT.QMGC Name list GROUP
RIT.DIVERT.RULES.QMGA Name list GROUP
RIT.DIVERT.RULES.QMGB Name list GROUP
RIT.DIVERT.RULES.QMGC Name list GROUP
COM.GREENHAT.COMMAND.QUEUE.QMGA Queue SHARED
COM.GREENHAT.COMMAND.QUEUE.QMGB Queue SHARED
COM.GREENHAT.COMMAND.QUEUE.QMGC Queue SHARED
COM.GREENHAT.INTERCEPT_LCK Queue SHARED
COM.GREENHAT.INTERCEPT.QMGA_LCK Queue SHARED
COM.GREENHAT.INTERCEPT.QMGB_LCK Queue SHARED
COM.GREENHAT.INTERCEPT.QMGC_LCK Queue SHARED
RIT.DIVERT.RULES.QMGA_LCK Queue SHARED
RIT.DIVERT.RULES.QMGB_LCK Queue SHARED
RIT.DIVERT.RULES.QMGC_LCK Queue SHARED
Define the MQADMIN, MQNLIST, MQCMDS, and MQQUEUE profiles and accesses as listed in the following table to make them accessible from all the three queue managers:
Class Resource RIT Exit Job/Started Task Userid CHINIT RIT User Application Userid
MQADMIN MQPG.NAMELIST.COM.GREENHAT.INTERCEPT.QQQQ where QQQQ is the name of a queue manager. When using RIT with shared queues, an intercept name list is required for each queue manager. ALTER access to the intercept name list for the QMGR associated with the job   ALTER access to the intercept name lists for all queue managers  
MQPG.NAMELIST.COM.GREENHAT.INTERCEPT_LCK     ALTER  

MQPG.NAMELIST.RIT.DIVERT.RULES.QQQQ where QQQQ is the name of a queue manager. When using RIT with shared queues, a divert name list is required for each queue manager.

 ALTER access to the divert name list for the QMGR associated with the job   ALTER access to the divert name lists for all queue managers  

MQPG.NAMELIST.RIT.DIVERT.RULES_LCK

 ALTER   ALTER  
MQPG.NAMELIST.RIT.**     ALTER  
MQPG.QUEUE.COM.GREENHAT.INTERCEPT_LCK     ALTER  
MQPG.QUEUE.COM.GREENHAT.INTERCEPT.QQQQ_LCK, where QQQQ is the name of a queue manager. When using RIT with shared queues, an intercept locking queue may be required for each queue manager.     ALTER  
MQPG.QUEUE.RIT.DIVERT.RULES.QQQQ_LCK, where QQQQ is the name of a queue manager. When using RIT with shared queues, a divert locking queue is required for each queue manager.     ALTER  
MQPG.CONTEXT.application.queuename     CONTROL CONTROL
MQPG.CONTEXT.**   ALTER    
MQNLIST

MQNLIST MQPG.COM.GREENHAT.INTERCEPT.QQQQ where QQQQ is the name of a queue manager. When using RIT with shared queues, an intercept name list is required for each queue manager.

ALTER access to the intercept name list for the QMGR associated with the job   ALTER access to the intercept name lists for all queue managers  

MQPG.COM.GREENHAT.INTERCEPT_LCK

ALTER   ALTER  
MQPG.RIT.DIVERT.RULES.QQQQ where QQQQ is the name of a queue manager. When using RIT with shared queues, a divert name list is required for each queue manager. ALTER access to the divert name list for the QMGR associated with the job   ALTER access to the divert name lists for all queue managers  

MQPG.RIT.DIVERT.RULES_LCK

 ALTER   ALTER  
MQPG.RIT.DIVERTRULE.** ALTER      
MQCMDS

MQPG.ALTER.NAMELIST

    ALTER  
MQPG.DEFINE.NAMELIST ALTER   ALTER  
MQPG.DELETE.NAMELIST     ALTER  
MQPG.DISPLAY.NAMELIST     READ  
MQPG.DISPLAY.QMGR     READ  
MQPG.DISPLAY.QUEUE     READ  
MQPG.CSQ.** UPDATE      
MQPG.DEFINE.QLOCAL     ALTER  

MQQUEUE

MQPG.COM.GREENHAT.COMMAND.QUEUE.QQQQ where QQQQ is the name of a queue manager. When using RIT with shared queues, a command queue is required for each queue manager. ALTER access to the command queue for the QMGR associated with the job ALTER ALTER access to the command queues for all queue managers  
MQPG.CSQ.** UPDATE      
MQPG.SYSTEM.COMMAND.INPUT UPDATE UPDATE UPDATE  
MQPG.SYSTEM.COMMAND.REPLY.MODEL UPDATE UPDATE    
MQPG.SYSTEM.DEFAULT.MODEL.QUEUE   ALTER UPDATE  
MQPG.AMQ.** ALTER ALTER ALTER  
MQPG.COM.GREENHAT.INTERCEPT_LCK     UPDATE  
MQPG.COM.GREENHAT.INTERCEPT.QQQQ_LCK, where QQQQ is the name of a queue manager. When using RIT with shared queues, an intercept locking queue may be required for each queue manager.     UPDATE  
MQPG.RIT.DIVERT.RULES.QQQQ_LCK, where QQQQ is the name of a queue manager. When using RIT with shared queues, a divert locking queue is required for each queue manager.     UPDATE  
MQPG.APPQUEUE READ   UPDATE  
MQCONN MQPG.BATCH READ READ    
Related concepts:
Additional configuration steps if the Rational Integration Tester user cannot be given queue create permission
Feedback