Security settings
The security settings required to run z/OSMF.
User ID property | Description |
---|---|
CSQ_USERID | User ID used to run the workflow steps. Note, however, that selected steps (which generally require an elevated level of authority) will be run with different user IDs based on the setting of the CSQ_ADMIN_* user IDs listed in the following text. The user ID in use is identified by the runAsUser property on the respective step in the workflows. |
CSQ_ADMIN_APF_USERID | User ID to use when APF authorizing the load library that contains the queue manager system parameter module. |
CSQ_APF_APPROVAL_ID | The approval ID used to permit users to run the data set APF authorization step as user CSQ_ADMIN_APF_USERID. |
CSQ_ADMIN_CONSOLE_USERID | User ID used when running steps under the run that issue z/OS console commands. Attention: This user ID needs to be permitted UPDATE access to the started task profile
(MVS.START.STC.*) in the OPERCMDS class. See Controlling the use of operator commands in the z/OS® documentation for more information.
|
CSQ_CONSOLE_APPROVAL_ID | The approval ID used to permit users to run steps that issue z/OS console commands under the run as user CSQ_ADMIN_CONSOLE_USERID. |
CSQ_ADMIN_SAF_USERID | User ID to use when issuing SAF commands. |
CSQ_SAF_APPROVAL_ID | The approval ID used to permit users to run the SAF command steps under the run as user CSQ_ADMIN_SAF_USERID. |
CSQ_ADMIN_SSI_USERID | User ID to use when issuing the SETSSI command to identify the subsystem being provisioned to z/OS. |
CSQ_SSI_APPROVAL_ID | The approval ID used to permit users to run the SETSSI command step under the run as user CSQ_ADMIN_SSI_USERID. |
- The Queue Manager provision and de-provision workflows use the SETPROG command to APF authorize
data sets. Either the user ID is set in property CSQ_ADMIN_APF_USERID, or the user ID being used to
run the workflows needs to be permitted to issue this command. You can achieve this by issuing the
following command:
PERMIT MVS.SETPROG CLASS(OPERCMDS) ID(value of CSQ_ADMIN_APF_USERID) ACCESS(UPDATE)
Note: The SETPROG command might not persist across an IPL of a z/OS system so, it might be necessary to manually issue the following SETPROG command following an IPL:For more details about the SETPROG command, see Using RACF to control APF lists.SETPROG APF,ADD,DSN=value of CSQ_AUTH_LIB_HLQ.value of CSQ_SSID.APF.LOAD,SMS
In addition, you might have enabled FACILITY class to control which libraries can be APF authorized, so you might need to issue the command:PERMIT CSVAPF.libname CLASS(FACILITY) ID(value of CSQ_ADMIN_APF_USERID) ACCESS(UPDATE)
- A step in the Queue Manager provision workflow issues the SETSSI command to identify the
IBM® MQ subsystem to z/OS. The User ID set in property CSQ_ADMIN_SSI_USERID needs to
be permitted to use this command. You can achieve this by issuing the following
command:
PERMIT MVS.SETSSI.ADD CLASS(OPERCMDS) ID(value of CSQ_ADMIN_SSI_USERID) ACCESS(CONTROL)
Note: Subsystems that have been identified to z/OS through the SETSSI command do not persist across an IPL of a z/OS system. So, it might be necessary to manually issue the following SETSSI command following an IPL:For more details about the SETSSI command, see: SETSSI command.SETSSI ADD,S='value of CSQ_SSID',I=CSQ3INI, P='CSQ3EPX,value of CSQ_CMD_PFX,S'
- The workflows issue queue manager commands, so if you are planning to enable security, the user
ID set in property CSQ_ADMIN_RACF_USERID (or the user ID being used to run the workflows) needs to
be granted CLAUTH (client authentication) authority to the MQADMIN or the MXADMIN class (depending
on which class is being used). This is to allow this user ID to define security profiles to these
classes. You can achieve this by issuing the following command:
For more details about CLAUTH see The CLAUTH (class authority) attribute.ALTUSR value of CSQ_ADMIN_RACF_USERID CLAUTH(MQADMIN)
- The deprovision.xml workflow issues z/OS commands, for example, DISPLAY ACTIVE jobs, CANCEL or FORCE subsystems, so the user ID set in property CSQ_ADMIN_CONSOLE_USERID (or the user ID being used to run the workflows) needs to have suitable authority to issue such commands.
- Users requesting a queue manager instance, using the templates table of the Software Services task, must have permission to access z/OSMF and the Configuration Assistant, as defined by z/OSMF.
- The user ID of the consumer provisioning a queue manager requires authority to add and delete members from the PROCLIB data set defined with variable CSQ_PROC_LIB.
- A queue manager must be provisioned ahead of provisioning queues.
- To use the
queueLoad.xml
andqueueOffload.xml
workflows, the data sets used need to be defined ahead of time. Also, the user ID used to run these workflows needs to be granted UPDATE authority to the data sets. - A step in the queue manager provision.xml workflow currently disables
subsystem security. You can modify Job csq4znse.jcl to enable subsystem
security by adding the appropriate security commands for protecting IBM MQ resources. However, note that if you do add additional
commands, you also need to add commands to delete security permissions in
csq4dse.jcl, which is submitted by the deprovision.xml workflow. Note: This step issues RACF security commands. If you are using an alternate security product, you need to modify this step to issue the appropriate commands for your security product.
Network Requirements
When adding a queue manager template, and resources for the template, you need to click Create network resource pool. This creates a resource pool with network resources for this template.
Using the Configuration Assistant, your network administrator needs to complete this network resource pool definition by defining a limit for the number of ports that are to be allocated for this template.
For each template instance, the provision.xml workflow allocates a port in the range, and starts a listener to listen on that port.
Classifying with IBM Workload Manager
If you want to classify the queue manager and channel initiator address spaces with WLM, you need to specify this when adding a template for provisioning a queue manager.
Whether to classify or not, is controlled by flags CSQ_DEFINE_MSTR_WLM_RULE and CSQ_DEFINE_CHIN_WLM_RULE, which are set in file workflow_variables.properties.
For more information about classifying with WLM, refer to the z/OSMF Configuration Guide.