Granting security permissions

When using command resource security you must set up permissions to allow IBM® MQ Advanced Message Security to function. This topic uses RACF® commands in the examples. If your enterprise uses a different external security manager (ESM) you must use the equivalent commands for that ESM.

There are three aspects to granting security permissions:

The AMSM address space
CSQ0UTIL
Using queues that have an IBM MQ Advanced Message Security policy defined.

Notes: The example commands use the following variables.

QMgrName - the name of the queue manager. On z/OS®, this value can also be the name of a queue-sharing group.
username - this can be a group name.
The examples show the MQQUEUE class. this can also be MXQUEUE, GMQQUEUE or GMXQUEUE. See Profiles for queue security for further information.

Furthermore, if the profile already exists, you do not require the RDEFINE command.

The AMSM address space

You need to issue some IBM MQ security to the user name that the IBM MQ Advanced Message Security address space runs under.

For batch connection to the queue manager, issue

RDEFINE MQCONN QMgrName.BATCH UACC(NONE)
            PERMIT QMgrName.BATCH CLASS(MQCONN) ID(username) ACCESS(READ)

For access to the SYSTEM.PROTECTION.POLICY.QUEUE, issue:

RDEFINE MQQUEUE QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE UACC(NONE)
            PERMIT QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE CLASS(MQQUEUE)
ID(username) ACCESS(READ)

CSQ0UTIL

The utility that allows users to run the setmqspl and dspmqspl commands requires the following permissions, where the user name is the job user ID:

For batch connection to the queue manager, issue:

  RDEFINE MQCONN QMgrName.BATCH UACC(NONE)
             PERMIT QMgrName.BATCH CLASS(MQCONN) ID(username) ACCESS(READ)

For access to the SYSTEM.PROTECTION.POLICY.QUEUE, required for the setmqpol command, issue:

  RDEFINE MQQUEUE QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE UACC(NONE)
              PERMIT QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE CLASS(MQQUEUE)
ID(username) ACCESS(ALTER)

For access to the SYSTEM.PROTECTION.POLICY.QUEUE, required for the dspmqpol command, issue:

  RDEFINE MQQUEUE QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE UACC(NONE)
                PERMIT QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE CLASS(MQQUEUE)
ID(username) ACCESS(READ)

Using queues that have an IBM MQ Advanced Message Security policy defined.

When an application does any work with queues that have a policy defined on them, that application requires additional permissions to allow IBM MQ Advanced Message Security to protect messages.

The application requires:

Read access to the SYSTEM.PROTECTION.POLICY.QUEUE. Do this by issuing:

RDEFINE MQQUEUE QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE UACC(NONE)
          PERMIT QMgrName.SYSTEM.PROTECTION.POLICY.QUEUE CLASS(MQQUEUE)
ID(username) ACCESS(READ)

Put access to the SYSTEM.PROTECTION.ERROR.QUEUE. Do this by issuing:

RDEFINE MQQUEUE QMgrName.SYSTEM.PROTECTION.ERROR.QUEUE UACC(NONE)
            PERMIT QMgrName.SYSTEM.PROTECTION.ERROR.QUEUE CLASS(MQQUEUE)
ID(username) ACCESS(READ)