Setting up the security environment for IBM® MQ
File Manager provides security features to secure access to MQ resources when using File Manager functions.
These features work in conjunction with IBM® MQ security, not as a replacement. If access is not restricted by File Manager, it may still be restricted by IBM® MQ security. Similarly, if access is not restricted by IBM® MQ security, it may still be restricted by File Manager security. File Manager security features for MQ are only applicable when accessing MQ resources using File Manager.
File Manager security for MQ is applicable to the user attempting to use a File Manager function that accesses an MQ resource. By default, File Manager does not secure access to MQ resources.
Activating security for a queue manager
To secure a queue manager, you must define a security resource indicating that security is required for a nominated queue manager on a given sysplex.
RDEFINE FACILITY FMNMQ.SECURITY.SYSPLEXD.CSQ1 UACC(READ)
Granting READ access to a user indicates that File Manager security is applicable to that user for the nominated queue manager on the nominated sysplex. If no access is granted, security is not active. When security is active, users must be granted further access to resources to access the queue manager’s attributes and queues. If security is not active for a queue manager, File Manager permissions related to the queue manager do not apply.
Securing queue manager resources
When security is active for a queue manager, a user cannot access any of a queue manager’s resources unless the user has at least READ access to a security resource of the form FMNMQ.sysplex.qmgr defined to the XFACILIT class.
RDEFINE XFACILIT FMNMQ.SYSPLEXD.CSQ1 UACC(NONE)
PERMIT FMNMQ.SYSPLEXD.CSQ1 CLASS(XFACILIT) ID(JOHND) ACCESS(READ)
PERMIT FMNMQ.SYSPLEXD.CSQ1 CLASS(XFACILIT) ID(JOHND) ACCESS(ALTER) ALTER
Securing queue messages
When security is active for a queue manager, a user cannot access a queue’s messages unless the user has at least READ access to a security resource of the form FMNMQ.sysplex.qmgr.queue defined to the XFACILIT class.
RDEFINE XFACILIT FMNMQ.SYSPLEXD.CSQ1.* UACC(NONE)
PERMIT FMNMQ.SYSPLEXD.CSQ1.* CLASS(XFACILIT) ID(JOHND) ACCESS(READ)
PERMIT FMNMQ.SYSPLEXD.CSQ1.* CLASS(XFACILIT) ID(JOHND) ACCESS(UPDATE)
UPDATE authority also allows a user to reset or clear a queue’s messages.
Securing File Manager commands
When security is active for a queue manager, a user must have appropriate access to target MQ resources pertinent to the File Manager command being executed.
There is a range of commands that can affect IBM® MQ resources. In each case the following security resource definitions and permissions are required:
- When a command reads a queue manager’s attributes or its queue’s attributes, the requesting user must have READ authority to resource FMNMQ.sysplex.qmgr in the XFACILIT class for the queue manager being read.
- When a command alters a queue manager’s attributes or defines a queue, the requesting user must have ALTER authority to resource FMNMQ.sysplex.qmgr in the XFACILIT class for the queue manager being modified.
- When a command reads message data, the requesting user must have READ authority to resource FMNMQ.sysplex.qmgr.queue in the XFACILIT class for the queue being read.
- When a command updates message data, the requesting user must have UPDATE authority to resource FMNMQ.sysplex.qmgr.queue in the XFACILIT class for the queue being updated.
Securing message context
File Manager uses MQ security controls to edit messages and message context.
When a File Manager session is started, File Manager checks if the user has CONTROL access to the qmgr.CONTEXT.queue resource in the MQADMIN class. For some External Security Managers, this check might require certain permissions. When a message is updated, the MQ message context is preserved if the user has CONTROL access to the qmgr.CONTEXT.queue resource in the MQADMIN class. If not, the message context is replaced with a default message context in accordance with the MQ normal operation.