Setting up the security environment for IBM® MQ

To secure a queue manager, you must define a security resource indicating that security is required for a nominated queue manager on a given sysplex.

RDEFINE FACILITY FMNMQ.SECURITY.SYSPLEXD.CSQ1 UACC(READ)

Granting READ access to a user indicates that File Manager security is applicable to that user for the nominated queue manager on the nominated sysplex. If no access is granted, security is not active. When security is active, users must be granted further access to resources to access the queue manager’s attributes and queues. If security is not active for a queue manager, File Manager permissions related to the queue manager do not apply.

When security is active for a queue manager, a user cannot access any of a queue manager’s resources unless the user has at least READ access to a security resource of the form FMNMQ.sysplex.qmgr defined to the XFACILIT class.

RDEFINE XFACILIT FMNMQ.SYSPLEXD.CSQ1 UACC(NONE) 
PERMIT FMNMQ.SYSPLEXD.CSQ1 CLASS(XFACILIT) ID(JOHND) ACCESS(READ)

PERMIT FMNMQ.SYSPLEXD.CSQ1 CLASS(XFACILIT) ID(JOHND) ACCESS(ALTER) ALTER

When security is active for a queue manager, a user cannot access a queue’s messages unless the user has at least READ access to a security resource of the form FMNMQ.sysplex.qmgr.queue defined to the XFACILIT class.

RDEFINE XFACILIT FMNMQ.SYSPLEXD.CSQ1.* UACC(NONE)
PERMIT FMNMQ.SYSPLEXD.CSQ1.* CLASS(XFACILIT) ID(JOHND) ACCESS(READ)

PERMIT FMNMQ.SYSPLEXD.CSQ1.* CLASS(XFACILIT) ID(JOHND) ACCESS(UPDATE)

UPDATE authority also allows a user to reset or clear a queue’s messages.

When security is active for a queue manager, a user must have appropriate access to target MQ resources pertinent to the File Manager command being executed.

There is a range of commands that can affect IBM® MQ resources. In each case the following security resource definitions and permissions are required:

• When a command reads a queue manager’s attributes or its queue’s attributes, the requesting user must have READ authority to resource FMNMQ.sysplex.qmgr in the XFACILIT class for the queue manager being read.
• When a command alters a queue manager’s attributes or defines a queue, the requesting user must have ALTER authority to resource FMNMQ.sysplex.qmgr in the XFACILIT class for the queue manager being modified.
• When a command reads message data, the requesting user must have READ authority to resource FMNMQ.sysplex.qmgr.queue in the XFACILIT class for the queue being read.
• When a command updates message data, the requesting user must have UPDATE authority to resource FMNMQ.sysplex.qmgr.queue in the XFACILIT class for the queue being updated.

File Manager uses MQ security controls to edit messages and message context.

When a File Manager session is started, File Manager checks if the user has CONTROL access to the qmgr.CONTEXT.queue resource in the MQADMIN class. For some External Security Managers, this check might require certain permissions. When a message is updated, the MQ message context is preserved if the user has CONTROL access to the qmgr.CONTEXT.queue resource in the MQADMIN class. If not, the message context is replaced with a default message context in accordance with the MQ normal operation.