Security settings for MQ agent resources on z/OS
If security is enabled for your queue manager or queue sharing group, you must set up security for the Rational® Integration Tester MQ agent resources and give user IDs access to the Rational® Integration Tester intercept queue.
Note: As of version 9.2.0,
Rational® Integration
Tester
uses queues that are named COM.GREENHAT.INTERCEPT_LCK,
COM.GREENHAT.INTERCEPT.<QMGR>_LCK, RIT.DIVERT.RULES_LCK, and
RIT.DIVERT.RULES.<QMGR>_LCK.
Rational® Integration
Tester
9.2.0 attempts to create these queues automatically when they are first accessed. If you do
not allow
Rational® Integration
Tester
to create queues, then you must predefine these queues. The jobs within the RIT.PROC dataset
contain sample statements for creating the required security profiles to allow
Rational® Integration
Tester
to create the queues. The RITDEFN job contains commands for creating the queues manually, if
you prefer to predefine them.
As of version 9.5.0,
Rational® Integration
Tester
also requires the following namelists and queues to be defined:
- Namelists
- COM.GREENHAT.EXIT.INTERCEPT
- COM.GREENHAT.EXIT.DIVERT1
- COM.GREENHAT.EXIT.DIVERT2
- Queue
- COM.GREENHAT.ALLOW.GENERIC.QNAMES
These resources are not created automatically by the MQ agent and must be created by the WebSphere® MQ administrator before starting the MQ agent. The RITDEFN job contains commands for creating these objects. RIT users need READ access to COM.GREENHAT.ALLOW.GENERIC.QNAMES in order to record transports, or to use wild cards in the names of queues to be recorded.
Security settings for a single queue manager
Use the following definitions for the security settings of the various
classes when the queue manager is not part of a queue sharing group. Substitute MQPG with
the name of the queue manager.
| Class | Resource | RIT Job Userid | CHINIT | RIT User | Application Userid |
|---|---|---|---|---|---|
| MQADMIN | MQPG.NAMELIST.COM.GREENHAT.INTERCEPT | ALTER | ALTER | ||
| MQPG.NAMELIST.COM.GREENHAT.INTERCEPT_LCK | ALTER | ||||
| MQPG.NAMELIST.COM.GREENHAT.EXIT.INTERCEPT | ALTER | ||||
| MQPG.NAMELIST.COM.GREENHAT.EXIT.DIVERT1 | ALTER | ||||
| MQPG.NAMELIST.COM.GREENHAT.EXIT.DIVERT2 | ALTER | ||||
| MQPG.NAMELIST.RIT.DIVERT.RULES | ALTER | ALTER | |||
| MQPG.NAMELIST.RIT.DIVERT.RULES_LCK | ALTER | ALTER | |||
| MQPG.NAMELIST.RIT.** | ALTER | ||||
| MQPG.QUEUE.COM.GREENHAT.INTERCEPT_LCK | ALTER | ALTER | |||
| MQPG.QUEUE.RIT.DIVERT.RULES_LCK | ALTER | ALTER | |||
| MQPG.CONTEXT.application.queuename | CONTROL | CONTROL | |||
| MQPG.CONTEXT.** | ALTER | ||||
| MQNLIST | MQPG.COM.GREENHAT.INTERCEPT | ALTER | ALTER | ||
| MQPG.COM.GREENHAT.INTERCEPT_LCK | ALTER | ALTER | |||
| MQPG.COM.GREENHAT.EXIT.INTERCEPT | ALTER | ||||
| MQPG.COM.GREENHAT.EXIT.DIVERT1 | ALTER | ||||
| MQPG.COM.GREENHAT.EXIT.DIVERT2 | ALTER | ||||
| MQPG.RIT.DIVERT.RULES | ALTER | ALTER | |||
| MQPG.RIT.DIVERT.RULES_LCK | ALTER | ALTER | |||
| MQPG.RIT.DIVERTRULE.** | ALTER | ||||
| MQCMDS | MQPG.ALTER.NAMELIST | ALTER | |||
| MQPG.DEFINE.NAMELIST | ALTER | ALTER | |||
| MQPG.DELETE.NAMELIST | ALTER | ||||
| MQPG.DISPLAY.NAMELIST | READ | READ | |||
| MQPG.DISPLAY.QMGR | READ | READ | |||
| MQPG.DISPLAY.QUEUE | READ | ||||
| MQPG.DISPLAY.SECURITY | READ | ||||
| MQPG.DEFINE.QUEUE | ALTER | ||||
| MQPG.DEFINE.QLOCAL | ALTER | ||||
| MQPG.DELETE.QUEUE (required for mirror queue recording) | ALTER | ||||
| MQPG.CSQ.** | UPDATE | ||||
| MQQUEUE | MQPG.COM.GREENHAT.COMMAND.QUEUE | ALTER | ALTER | ALTER | |
| MQPG.CSQ.** | UPDATE | ||||
| MQPG.SYSTEM.COMMAND.INPUT | UPDATE | UPDATE | UPDATE | ||
| MQPG.SYSTEM.COMMAND.REPLY.MODEL | UPDATE | UPDATE | |||
| MQPG.SYSTEM.DEFAULT.MODEL.QUEUE | ALTER | UPDATE | |||
| MQPG.AMQ.** | ALTER | ALTER | ALTER | ||
| MQPG.COM.GREENHAT.INTERCEPT_LCK | ALTER | UPDATE | |||
| MQPG.RIT.DIVERT.RULES_LC | ALTER | UPDATE | |||
| MQPG.COM.GREENHAT.ALLOW.GENERIC.QNAMES is required for transport recording, or when specifying wildcards within the name of the queue to record. | READ | ||||
| MQPG.APPQUEUE, where APPQUEUE is either a generic or discrete string that identifies the queue to be recorded or stubbed. | READ |
READ (recording) UPDATE (stubbing) |
|||
| MQCONN | MQPG.BATCH | READ | READ |
Security settings for a Queue Sharing Group
Use the following definitions for the security settings of the various classes when the
queue manager is part of a queue sharing group. Substitute MQPG with either the name of the
queue sharing group or the name of the queue manager depending on whether your site defines
MQ security at the queue manager level or at the group level.
Note: Each queue manager must
have permission to access each of the
Rational® Integration
Tester namelists and queues. For example, if the queue sharing group is made up of queue
managers named QMGA, QMGB, and QMGC,
Rational® Integration
Tester uses the following namelists and queues:
| Object Name | Object Type | QSGDISP |
|---|---|---|
| COM.GREENHAT.INTERCEPT.QMGA | Namelist | GROUP |
| COM.GREENHAT.INTERCEPT.QMGB | Namelist | GROUP |
| COM.GREENHAT.INTERCEPT.QMGC | Namelist | GROUP |
| RIT.DIVERT.RULES.QMGA | Namelist | GROUP |
| RIT.DIVERT.RULES.QMGB | Namelist | GROUP |
| RIT.DIVERT.RULES.QMGC | Namelist | GROUP |
| COM.GREENHAT.COMMAND.QUEUE.QMGA | Queue | SHARED |
| COM.GREENHAT.COMMAND.QUEUE.QMGB | Queue | SHARED |
| COM.GREENHAT.COMMAND.QUEUE.QMGC | Queue | SHARED |
| COM.GREENHAT.INTERCEPT_LCK | Queue | SHARED |
| COM.GREENHAT.INTERCEPT.QMGA_LCK | Queue | SHARED |
| COM.GREENHAT.INTERCEPT.QMGB_LCK | Queue | SHARED |
| COM.GREENHAT.INTERCEPT.QMGC_LCK | Queue | SHARED |
| RIT.DIVERT.RULES.QMGA_LCK | Queue | SHARED |
| RIT.DIVERT.RULES.QMGB_LCK | Queue | SHARED |
| RIT.DIVERT.RULES.QMGC_LCK | Queue | SHARED |
Define the MQADMIN, MQNLIST, MQCMDS, and MQQUEUE profiles and accesses as listed in the
following table to make them accessible from all the three queue managers:
| Class | Resource | Integration Tester agent Job/Started Task Userid | CHINIT | Integration Tester User | Application Userid |
|---|---|---|---|---|---|
| MQADMIN | MQPG.NAMELIST.COM.GREENHAT.INTERCEPT.QQQQ where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, an intercept namelist is required for each queue manager. | ALTER access to the intercept namelist for the QMGR associated with the job | ALTER access to the intercept namelists for all queue managers | ||
| MQPG.NAMELIST.COM.GREENHAT.INTERCEPT_LCK | ALTER | ||||
| MQPG.NAMELIST.COM.GREENHAT.EXIT.INTERCEPT | ALTER | ||||
| MQPG.NAMELIST.COM.GREENHAT.EXIT.DIVERT1 | ALTER | ||||
| MQPG.NAMELIST.COM.GREENHAT.EXIT.DIVERT2 | ALTER | ||||
| MQPG.NAMELIST.RIT.DIVERT.RULES.QQQQ where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, a divert namelist is required for each queue manager. | ALTER access to the divert namelist for the QMGR associated with the job | ALTER access to the divert namelists for all queue managers | |||
| MQPG.NAMELIST.RIT.DIVERT.RULES_LCK | ALTER | ALTER | |||
| MQPG.NAMELIST.RIT.** | ALTER | ||||
| MQPG.QUEUE.COM.GREENHAT.INTERCEPT_LCK | ALTER | ||||
| MQPG.QUEUE.COM.GREENHAT.INTERCEPT.QQQQ_LCK, where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, an intercept locking queue may be required for each queue manager. | ALTER | ||||
| MQPG.QUEUE.RIT.DIVERT.RULES.QQQQ_LCK, where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, a divert locking queue is required for each queue manager. | ALTER | ||||
| MQPG.CONTEXT.application.queuename | CONTROL | CONTROL | |||
| MQPG.CONTEXT.** | ALTER | ||||
| MQNLIST | MQNLIST MQPG.COM.GREENHAT.INTERCEPT.QQQQ where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, an intercept namelist is required for each queue manager. | ALTER access to the intercept namelist for the QMGR associated with the job | ALTER access to the intercept namelists for all queue managers | ||
| MQPG.COM.GREENHAT.EXIT.INTERCEPT | ALTER | ||||
| MQPG.COM.GREENHAT.EXIT.DIVERT1 | ALTER | ||||
| MQPG.COM.GREENHAT.EXIT.DIVERT2 | ALTER | ||||
| MQPG.COM.GREENHAT.INTERCEPT_LCK | ALTER | ALTER | |||
| MQPG.RIT.DIVERT.RULES.QQQQ where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, a divert namelist is required for each queue manager. | ALTER access to the divert namelist for the QMGR associated with the job | ALTER access to the divert namelists for all queue managers | |||
| MQPG.RIT.DIVERT.RULES_LCK | ALTER | ALTER | |||
| MQPG.RIT.DIVERTRULE.** | ALTER | ||||
| MQCMDS | MQPG.ALTER.NAMELIST | ALTER | |||
| MQPG.DEFINE.NAMELIST | ALTER | ALTER | |||
| MQPG.DELETE.NAMELIST | ALTER | ||||
| MQPG.DISPLAY.GROUP | READ | ||||
| MQPG.DISPLAY.NAMELIST | READ | READ | |||
| MQPG.DISPLAY.QMGR | READ | READ | |||
| MQPG.DISPLAY.QUEUE | READ | ||||
| MQPG.DISPLAY.SECURITY | READ | ||||
| MQPG.CSQ.** | UPDATE | ||||
| MQPG.DEFINE.QUEUE | ALTER | ||||
| MQPG.DEFINE.QLOCAL | ALTER | ||||
| MQPG.DELETE.QUEUE (required for mirror queue recording) | ALTER | ||||
|
MQQUEUE |
MQPG.COM.GREENHAT.COMMAND.QUEUE.QQQQ where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, a command queue is required for each queue manager. | ALTER access to the command queue for the QMGR associated with the job | ALTER | ALTER access to the command queues for all queue managers | |
| MQPG.CSQ.** | UPDATE | ||||
| MQPG.SYSTEM.COMMAND.INPUT | UPDATE | UPDATE | UPDATE | ||
| MQPG.SYSTEM.COMMAND.REPLY.MODEL | UPDATE | UPDATE | |||
| MQPG.SYSTEM.DEFAULT.MODEL.QUEUE | ALTER | UPDATE | |||
| MQPG.AMQ.** | ALTER | ALTER | ALTER | ||
| MQPG.COM.GREENHAT.INTERCEPT_LCK | UPDATE | ||||
| MQPG.COM.GREENHAT.INTERCEPT.QQQQ_LCK, where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, an intercept locking queue may be required for each queue manager. | UPDATE | ||||
| MQPG.RIT.DIVERT.RULES.QQQQ_LCK, where QQQQ is the name of a queue manager. When using Integration Tester with shared queues, a divert locking queue is required for each queue manager. | UPDATE | ||||
| MQPG.COM.GREENHAT.ALLOW.GENERIC.QNAMES is required for transport recording, or when specifying wildcards within the name of the queue to record. | READ | ||||
| MQPG.APPQUEUE, where APPQUEUE is either a generic or discrete string that identifies the queue to be recorded or stubbed. | READ | READ (recording) UPDATE (stubbing) |
|||
| MQCONN | MQPG.BATCH | READ | READ |