Security on iSeries

Answer

User profile:
There are 2 types of users that are involved in the messaging product:
· The user which is used to manage the agents, i.e. execute commands like WRKOMAMQ and "go OMAMC" via the PCOM to configure/start/stop agents. In this document we may call it MSGADM (it may be any other user ID), and this ID will not be created during the installation.
The user ID used here has just the intent to explain the minimum authority required for running the messaging product.
If there is a user with special authorities on *ALLOBJ, then it does not need to perform the steps of granting the object authority to the user mentioned below. This user also need to have the *JOBCTL (Job Control authority) to manage messaging subsystems.
· The internal user id which will be ONLY used by the product. i.e. MQ monitoring agent (KMQ) and MQ configuration agent (KMC). Since KMQ/KMC user profile are used for product internal use only, thus the KMQ/KMC user profile are not created with a password. This prevents anyone from signing on as KMQ/KMC. Its initial menu is created as *SIGNOFF, so that if a password is assigned and someone signs on as KMQ/KMC, its default action is to immediately sign off. And KMQ/KMC can have the WebSphere MQ group profile QMQMADM for WebSphere MQ related operations.



Authorities:
Special Authorities
*JOBCTL Job control authority is needed for both KMQ/KMC and MSGADM profile as it will be used for start/stop messaging subsystems.

The following authorities will be used while processing the Take Action (to invoke related system commands) on TEP (only applies to KMQ), and without these authorities, the related system command will fail to be executed via Take Action (e.g. STRSST command will fail if the KMQ user profile does not have the *SERVICE authority). Thus it can be optional for the messaging agent if you do not need related system command for the user defined situation take actions.
*SPLCTL Spool control authority
*AUDIT Auditing authority
*SAVSYS Save system authority
*SERVICE Service authority

Object Authorities
· KMQ
Both the KMQ and MSGADM profiles need to have full authorities on the libraries: KMQLIB and KMQTMP as these libraries hold the objects of Messaging product and configuration objects:
*ALL authority for library KMQLIB: KMQLIB library holds the objects of KMQ,
*ALL authority for library KMQTMP: KMQTMP library holds the configuration files and trace files.
*USE authority for user profile KMQ: WRKOMAMQ related commands will use the KMQ user profile to submit jobs.

GRTOBJAUT OBJ(KMQLIB/*ALL) OBJTYPE(*ALL) USER(MSGADM) AUT(*ALL)
GRTOBJAUT OBJ(KMQTMP/*ALL) OBJTYPE(*ALL) USER(MSGADM) AUT(*ALL)
GRTOBJAUT OBJ(*LIBL/KMQ) OBJTYPE(*USRPRF) USER(MSGADM) AUT(*USE)
GRTOBJAUT OBJ(QSYS/KMQLIB) OBJTYPE(*LIB) USER(MSGADM) AUT(*ALL)
GRTOBJAUT OBJ(QSYS/KMQTMP) OBJTYPE(*LIB) USER(MSGADM) AUT(*ALL)

· KMC
Both the KMC and MSGADM profiles need to have full authorities on the libraries: KMCLIB and KMCTMP as these libraries hold the objects of Messaging product and configuration objects:
*ALL authority for library KMCLIB: KMCLIB library holds the objects of KMC,
*ALL authority for library KMCTMP: KMCTMP library holds the configuration files and trace files.
*USE authority for user profile KMC: GO OMAMC related commands will use the KMC user profile to submit jobs.

GRTOBJAUT OBJ(QSYS/KMC) OBJTYPE(*ALL) USER(KMC) AUT(*ALL)
GRTOBJAUT OBJ(KMCLIB/*ALL) OBJTYPE(*ALL) USER(KMC) AUT(*ALL)
GRTOBJAUT OBJ(KMCTMP/*ALL) OBJTYPE(*ALL) USER(KMC) AUT(*ALL)
GRTOBJAUT OBJ(QSYS/KMCLIB) OBJTYPE(*LIB) USER(KMC) AUT(*ALL)
GRTOBJAUT OBJ(QSYS/KMCTMP) OBJTYPE(*LIB) USER(KMC) AUT(*ALL)

GRTOBJAUT OBJ(KMCLIB/*ALL) OBJTYPE(*ALL) USER(MSGADM) AUT(*ALL)
GRTOBJAUT OBJ(KMCTMP/*ALL) OBJTYPE(*ALL) USER(MSGADM) AUT(*ALL)
GRTOBJAUT OBJ(*LIBL/KMC) OBJTYPE(*USRPRF) USER(MSGADM) AUT(*USE)
GRTOBJAUT OBJ(QSYS/KMCLIB) OBJTYPE(*LIB) USER(MSGADM) AUT(*ALL)
GRTOBJAUT OBJ(QSYS/KMCTMP) OBJTYPE(*LIB) USER(MSGADM) AUT(*ALL)
GRTOBJAUT OBJ(*LIBL/CFGOMAMC) OBJTYPE(*ALL) USER(MSGADM) AUT(*ALL)
GRTOBJAUT OBJ(*LIBL/STROMAMC) OBJTYPE(*ALL) USER(MSGADM) AUT(*ALL)
GRTOBJAUT OBJ(*LIBL/ENDOMAMC) OBJTYPE(*ALL) USER(MSGADM) AUT(*ALL)
GRTOBJAUT OBJ(*LIBL/DSPMCLOG) OBJTYPE(*ALL) USER(MSGADM) AUT(*ALL)

Note: Different versions of i5/OS might have some minor differences on those commands mentioned above.