![[z/OS]](ngzos.gif)
Application access control for the IMS bridge
Define a RACF® profile in the FACILITY class for each IMS system. Grant an appropriate level of access to the IBM® MQ queue manager user ID.
For each IMS system that the IMS bridge connects to, you can define the following RACF profile in the FACILITY class to determine how much security checking is performed for each message passed to the IMS system.
IMSXCF.xcfgname.imsxcfmname
Where xcfgname is the XCF group name and imsxcfmname is the XCF
member name for IMS. (You need to define a separate
profile for each IMS system.)
The access level you allow for the IBM MQ queue manager user ID in this profile is returned to IBM MQ when the IMS bridge connects to IMS, and indicates the level of security that is required on subsequent transactions. For subsequent transactions, IBM MQ requests the appropriate services from RACF and, where the user ID is authorized, passes the message to IMS.
OTMA does not support the IMS /SIGN command; however, IBM MQ allows you to set the access checking for each message to enable implementation of the necessary level of control.
- NONE or NO PROFILE FOUND
- These values indicate that maximum security is required, that is, authentication is required for
every transaction. A check is made to verify that the user ID specified in the
UserIdentifier field of the MQMD structure, and the password or PassTicket in the
Authenticator field of the MQIIH structure are known to RACF, and are a valid combination. A UTOKEN is created with a
password or PassTicket, and passed to IMS ; the
UTOKEN is not cached. Note: If profile hlq.NO.SUBSYS.SECURITY exists in the MQADMIN class, this level of security overrides whatever is defined in the profile.
- READ
- This value indicates that the same authentication is to be performed as for
NONE under the following circumstances:
- The first time that a specific user ID is encountered
- When the user ID has been encountered before but the cached UTOKEN was not created with a password or PassTicket
Note: If a request to reverify security has been acted on, all cached information is lost and a UTOKEN is requested the first time each user ID is later encountered. - UPDATE
- A check is made that the user ID in the UserIdentifier field of the
MQMD structure is known to RACF.
A UTOKEN is built and passed to IMS ; the UTOKEN is cached.
- CONTROL/ALTER
- These values indicate that no security UTOKENs need to be provided for any user IDs for this
IMS system. (You would probably only use this option
for development and test systems.) Attention: Note that the user ID contained in the UserIdentifier field of the MQMD structure is still passed for CONTROL/ALTER.
- This access is defined when IBM MQ connects to IMS, and lasts for the duration of the connection. To change the security level, the access to the security profile must be changed and then the bridge stopped and restarted (for example, by stopping and restarting OTMA).
- If you change the authorities in the FACILITY class, you must issue the RACF command SETROPTS RACLIST(FACILITY) REFRESH to activate the changes.
- You can use a password or a PassTicket, but you must remember that the IMS bridge does not encrypt data. For information about using PassTickets, see Using RACF PassTickets in the IMS header.
- Some of these results might be affected by security settings in IMS, using the /SECURE OTMA command.
- Cached UTOKEN information is held for the duration defined by the INTERVAL and TIMEOUT parameters of the IBM MQ ALTER SECURITY command.
- The RACF WARNING option has no effect on the IMSXCF.xcfgname.imsxcfmname profile. Its use does not affect the level of access granted, and no RACF WARNING messages are produced.