Security settings for MQ agent resources on z/OS

If security is enabled for your queue manager or queue sharing group, you must set up security for the Rational® Integration Tester MQ agent resources and give user IDs access to the Rational® Integration Tester intercept queue.

Note: As of version 9.2,0, Rational® Integration Tester uses queues that are named COM.GREENHAT.INTERCEPT_LCK, COM.GREENHAT.INTERCEPT.<QMGR>_LCK, RIT.DIVERT.RULES_LCK, and RIT.DIVERT.RULES.<QMGR>_LCK. Rational® Integration Tester V9.2.0 attempts to create these queues automatically when they are first accessed. If you do not allow Rational® Integration Tester to create queues, then you must predefine these queues. The jobs within the RIT.PROC dataset contain sample statements for creating the required security profiles to allow Rational® Integration Tester to create the queues. The RITDEFN job contains commands for creating the queues manually, if you prefer to predefine them.
As of version 9.5.0, Rational® Integration Tester also requires these namelists, and queues be defined:
  • Namelists
    • COM.GREENHAT.EXIT.INTERCEPT
    • COM.GREENHAT.EXIT.DIVERT1
    • COM.GREENHAT.EXIT.DIVERT2
  • Queue
    • COM.GREENHAT.ALLOW.GENERIC.QNAMES

These resources are not created automatically by the MQ agent and must be created by the WebSphere® MQ administrator before starting the MQ agent. The RITDEFN job contains commands for creating these objects. RIT users need READ access to COM.GREENHAT.ALLOW.GENERIC.QNAMES in order to record transports, or to use wild cards in the names of queues to be recorded.

Security settings for a single queue manager

Use the following definitions for the security settings of the various classes when the queue manager is not part of a queue sharing group. Substitute MQPG with the name of the queue manager.
Class Resource RIT Job Userid CHINIT RIT User Application Userid
MQADMIN MQPG.NAMELIST.COM.GREENHAT.INTERCEPT ALTER ALTER
MQPG.NAMELIST.COM.GREENHAT.INTERCEPT_LCK ALTER
MQPG.NAMELIST.COM.GREENHAT.EXIT.INTERCEPT ALTER
MQPG.NAMELIST.COM.GREENHAT.EXIT.DIVERT1 ALTER
MQPG.NAMELIST.COM.GREENHAT.EXIT.DIVERT2 ALTER
MQPG.NAMELIST.RIT.DIVERT.RULES ALTER ALTER
MQPG.NAMELIST.RIT.DIVERT.RULES_LCK ALTER ALTER
MQPG.NAMELIST.RIT.** ALTER
MQPG.QUEUE.COM.GREENHAT.INTERCEPT_LCK ALTER ALTER
MQPG.QUEUE.RIT.DIVERT.RULES_LCK ALTER ALTER
MQPG.CONTEXT.application.queuename CONTROL CONTROL
MQPG.CONTEXT.** ALTER
MQNLIST MQPG.COM.GREENHAT.INTERCEPT ALTER ALTER
MQPG.COM.GREENHAT.INTERCEPT_LCK ALTER ALTER
MQPG.COM.GREENHAT.EXIT.INTERCEPT ALTER
MQPG.COM.GREENHAT.EXIT.DIVERT1 ALTER
MQPG.COM.GREENHAT.EXIT.DIVERT2 ALTER
MQPG.RIT.DIVERT.RULES ALTER ALTER
MQPG.RIT.DIVERT.RULES_LCK ALTER ALTER
MQPG.RIT.DIVERTRULE.** ALTER
MQCMDS MQPG.ALTER.NAMELIST ALTER
MQPG.DEFINE.NAMELIST ALTER ALTER
MQPG.DELETE.NAMELIST ALTER
MQPG.DISPLAY.NAMELIST READ READ
MQPG.DISPLAY.QMGR READ READ
MQPG.DISPLAY.QUEUE READ
MQPG.DISPLAY.SECURITY READ
MQPG.DEFINE.QUEUE ALTER
MQPG.DEFINE.QLOCAL ALTER
MQPG.DELETE.QUEUE (required for mirror queue recording) ALTER
MQPG.CSQ.** UPDATE
MQQUEUE MQPG.COM.GREENHAT.COMMAND.QUEUE ALTER ALTER ALTER
MQPG.CSQ.** UPDATE
MQPG.SYSTEM.COMMAND.INPUT UPDATE UPDATE UPDATE
MQPG.SYSTEM.COMMAND.REPLY.MODEL UPDATE UPDATE
MQPG.SYSTEM.DEFAULT.MODEL.QUEUE ALTER UPDATE
MQPG.AMQ.** ALTER ALTER ALTER
MQPG.COM.GREENHAT.INTERCEPT_LCK ALTER UPDATE
MQPG.RIT.DIVERT.RULES_LC ALTER UPDATE
MQPG.COM.GREENHAT.ALLOW.GENERIC.QNAMES is required for transport recording, or when specifying wildcards within the name of the queue to record. READ
MQPG.APPQUEUE, where APPQUEUE is either a generic or discrete string that identifies the queue to be recorded or stubbed. READ

READ (recording)

UPDATE (stubbing)

MQCONN MQPG.BATCH READ READ

Security settings for a Queue Sharing Group

Use the following definitions for the security settings of the various classes when the queue manager is part of a queue sharing group. Substitute MQPG with either the name of the queue sharing group or the name of the queue manager depending on whether your site defines MQ security at the queue manager level or at the group level.
Note: Each queue manager must have permission to access each of the Rational® Integration Tester namelists and queues. For example, if the queue sharing group is made up of queue managers named QMGA, QMGB, and QMGC, Rational® Integration Tester uses the following namelists and queues:
Object Name Object Type QSGDISP
COM.GREENHAT.INTERCEPT.QMGA Namelist GROUP
COM.GREENHAT.INTERCEPT.QMGB Namelist GROUP
COM.GREENHAT.INTERCEPT.QMGC Namelist GROUP
RIT.DIVERT.RULES.QMGA Namelist GROUP
RIT.DIVERT.RULES.QMGB Namelist GROUP
RIT.DIVERT.RULES.QMGC Namelist GROUP
COM.GREENHAT.COMMAND.QUEUE.QMGA Queue SHARED
COM.GREENHAT.COMMAND.QUEUE.QMGB Queue SHARED
COM.GREENHAT.COMMAND.QUEUE.QMGC Queue SHARED
COM.GREENHAT.INTERCEPT_LCK Queue SHARED
COM.GREENHAT.INTERCEPT.QMGA_LCK Queue SHARED
COM.GREENHAT.INTERCEPT.QMGB_LCK Queue SHARED
COM.GREENHAT.INTERCEPT.QMGC_LCK Queue SHARED
RIT.DIVERT.RULES.QMGA_LCK Queue SHARED
RIT.DIVERT.RULES.QMGB_LCK Queue SHARED
RIT.DIVERT.RULES.QMGC_LCK Queue SHARED
Define the MQADMIN, MQNLIST, MQCMDS, and MQQUEUE profiles and accesses as listed in the following table to make them accessible from all the three queue managers:
Class Resource Integration Tester agent Job/Started Task Userid CHINIT Integration Tester User Application Userid
MQADMIN MQPG.NAMELIST.COM.GREENHAT.INTERCEPT.QQQQ where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, an intercept namelist is required for each queue manager. ALTER access to the intercept namelist for the QMGR associated with the job ALTER access to the intercept namelists for all queue managers
MQPG.NAMELIST.COM.GREENHAT.INTERCEPT_LCK ALTER
MQPG.NAMELIST.COM.GREENHAT.EXIT.INTERCEPT ALTER
MQPG.NAMELIST.COM.GREENHAT.EXIT.DIVERT1 ALTER
MQPG.NAMELIST.COM.GREENHAT.EXIT.DIVERT2 ALTER
MQPG.NAMELIST.RIT.DIVERT.RULES.QQQQ where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, a divert namelist is required for each queue manager. ALTER access to the divert namelist for the QMGR associated with the job ALTER access to the divert namelists for all queue managers
MQPG.NAMELIST.RIT.DIVERT.RULES_LCK ALTER ALTER
MQPG.NAMELIST.RIT.** ALTER
MQPG.QUEUE.COM.GREENHAT.INTERCEPT_LCK ALTER
MQPG.QUEUE.COM.GREENHAT.INTERCEPT.QQQQ_LCK, where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, an intercept locking queue may be required for each queue manager. ALTER
MQPG.QUEUE.RIT.DIVERT.RULES.QQQQ_LCK, where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, a divert locking queue is required for each queue manager. ALTER
MQPG.CONTEXT.application.queuename CONTROL CONTROL
MQPG.CONTEXT.** ALTER
MQNLIST MQNLIST MQPG.COM.GREENHAT.INTERCEPT.QQQQ where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, an intercept namelist is required for each queue manager. ALTER access to the intercept namelist for the QMGR associated with the job ALTER access to the intercept namelists for all queue managers
MQPG.COM.GREENHAT.EXIT.INTERCEPT ALTER
MQPG.COM.GREENHAT.EXIT.DIVERT1 ALTER
MQPG.COM.GREENHAT.EXIT.DIVERT2 ALTER
MQPG.COM.GREENHAT.INTERCEPT_LCK ALTER ALTER
MQPG.RIT.DIVERT.RULES.QQQQ where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, a divert namelist is required for each queue manager. ALTER access to the divert namelist for the QMGR associated with the job ALTER access to the divert namelists for all queue managers
MQPG.RIT.DIVERT.RULES_LCK ALTER ALTER
MQPG.RIT.DIVERTRULE.** ALTER
MQCMDS MQPG.ALTER.NAMELIST ALTER
MQPG.DEFINE.NAMELIST ALTER ALTER
MQPG.DELETE.NAMELIST ALTER
MQPG.DISPLAY.GROUP READ
MQPG.DISPLAY.NAMELIST READ READ
MQPG.DISPLAY.QMGR READ READ
MQPG.DISPLAY.QUEUE READ
MQPG.DISPLAY.SECURITY READ
MQPG.CSQ.** UPDATE
MQPG.DEFINE.QUEUE ALTER
MQPG.DEFINE.QLOCAL ALTER
MQPG.DELETE.QUEUE (required for mirror queue recording) ALTER

MQQUEUE

MQPG.COM.GREENHAT.COMMAND.QUEUE.QQQQ where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, a command queue is required for each queue manager. ALTER access to the command queue for the QMGR associated with the job ALTER ALTER access to the command queues for all queue managers
MQPG.CSQ.** UPDATE
MQPG.SYSTEM.COMMAND.INPUT UPDATE UPDATE UPDATE
MQPG.SYSTEM.COMMAND.REPLY.MODEL UPDATE UPDATE
MQPG.SYSTEM.DEFAULT.MODEL.QUEUE ALTER UPDATE
MQPG.AMQ.** ALTER ALTER ALTER
MQPG.COM.GREENHAT.INTERCEPT_LCK UPDATE
MQPG.COM.GREENHAT.INTERCEPT.QQQQ_LCK, where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, an intercept locking queue may be required for each queue manager. UPDATE
MQPG.RIT.DIVERT.RULES.QQQQ_LCK, where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, a divert locking queue is required for each queue manager. UPDATE
MQPG.COM.GREENHAT.ALLOW.GENERIC.QNAMES is required for transport recording, or when specifying wildcards within the name of the queue to record. READ
MQPG.APPQUEUE, where APPQUEUE is either a generic or discrete string that identifies the queue to be recorded or stubbed. READ

READ (recording)

UPDATE (stubbing)

MQCONN MQPG.BATCH READ READ