IBM Support

Security: a userid is checked when it should not be or is not checked when it should

Troubleshooting


Problem

You notice that a userid is checked when it should not be or is not checked when it should be by IBM MQ for z/OS. Symptoms include ICH408I for a security failure or unexpected access to a queue.

Cause

This is usually a configuration problem, especially with the RESLEVEL profile. It can also happen if a security refresh is required.

Resolving The Problem

Some common solutions to the problem are:

  • Activate IBM MQ subsystem security


  • - If you define a Profile called: qmgr.YES.SUBSYS.SECURITY (where 'qmgr' is the name of your queue manager), you will get subsystem security. Additional switches further define the types of security checks to be made.
    - If you define a Profile called: qmgr.NO.SUBSYS.SECURITY or qsg-name.NO.SUBSYS.SECURITY (where 'qmgr' is the name of your queue manager and 'qsg-name' is the name of a queue-sharing group), there will be NO sub-system security.
    - In the absence of either profile, subsystem security is ON as a default.

  • Explicitly define a RESLEVEL profile


  • The following quote is from the IBM MQ Knowledge Center topic Using the RESLEVEL security profile:

    "If you do not have a RESLEVEL profile defined, you must be careful that no other profile in the MQADMIN class matches hlq.RESLEVEL. For example, if you have a profile in MQADMIN called hlq.** and no hlq.RESLEVEL profile, beware of the consequences of the hlq.** profile because it is used for the RESLEVEL check.

    Define an hlq.RESLEVEL profile and set the UACC to NONE, rather than have no RESLEVEL profile at all. Have as few users or groups in the access list as possible. For details about how to audit RESLEVEL access, see Auditing considerations on z/OS."

    The IBM MQ Knowledge Center lists which userids are checked depending on the RACF access level of the RESLEVEL profile.

    A summary of configuring RESLEVEL is:
    - Define an hlq.RESLEVEL profile in the MQADMIN Class. 'hlq' refers to the Queue Manager subsystem id or the QSG (Queue Sharing Group) name.
    - Restrict ALL users to the resource. For example, assume the qmgr name is QM66.
    Issue this command (RACF example given here):
    RDEFINE MQADMIN QM66.RESLEVEL UACC(NONE)
    This defines a UACC (User Access) of NONE, which means everybody is restricted. - Allow specific users to have access, for example.
    PERMIT QM66.RESLEVEL CLASS(MQADMIN) ID(WS21B) ACCESS(CONTROL)
    PERMIT QM66.RESLEVEL CLASS(MQADMIN) ID(CICSWXN) ACCESS(UPDATE)

  • Refresh security when profile changes are made


  • The following quote is from the IBM MQ Knowledge Center topic Refreshing queue manager security:

    "Whenever you add, change or delete a RACF resource profile that is held in the MQADMIN, MXADMIN, MQPROC, MXPROC, MQQUEUE, MXQUEUE, MQNLIST, MXNLIST, or MXTOPIC class, you must tell the queue managers that use this class to refresh the security information that they hold. To do this, issue the following two commands:

    - The RACF SETROPTS RACLIST(classname) REFRESH command to refresh at the RACF level.
    - The IBM MQ REFRESH SECURITY command to refresh the security information held by the queue manager. This command needs to be issued by each queue manager that accesses the profiles that have changed. If you have a queue-sharing group, you can use the command scope attribute to direct the command to all the queue managers in the group."

    This section in the manual also contains details of when security information is cached.

  • Pick up changes to the RESLEVEL profile


  • If you make any changes to the RESLEVEL profile users must disconnect and connect again before the change takes place. This includes stopping and restarting the channel initiator if the access that the distributed queuing address space user ID has to the RESLEVEL profile is changed.

  • Use the correct profile type

    See Profiles used to control access to IBM MQ resources. For instance, hlq.queuename provides queue security to control access to a queue for MQOPEN or MQPUT1. hlq.QUEUE.queue is the command resource profile to control MQCMDS access to the queue, e.g. to ALTER the definition.



  • See further suggestions at What to do if access is allowed or disallowed incorrectly.

    Review all z/OS sections in the Security topic in the Knowledge Center, and see the IBM Redbooks publications WebSphere MQ Security in an Enterprise Environment and Secure Messaging Scenarios with WebSphere MQ for complete configuration instructions.

    [{"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"9.0;8.0;7.1;7.0.1;6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

    Product Synonym

    WMQ WebSphere MQ IBMMQ

    Document Information

    Modified date:
    15 June 2018

    UID

    swg21174888