This session will look at how security facilities are provided on WebSphere MQ for z/OS, including
a look at what security is available, how it is activated/deactivated, what types of resources can be
protected and an insight as to how WebSphere MQ for z/OS determines which userids it uses for
the checks it performs.
3. Abstract
T his session will look at how security facilities are
provided on WebSphere MQ for z/OS, including a look
at what security is available, how it is activated/
deactivated, what types of resources can be protected
and an insight as to how WebSphere MQ for z/OS
determines which userids it uses for the checks it
performs.
6. Security Overview
What are we trying to achieve?
●Identification:- Being able to Identify uniquely a user of a system or an
application that is running in the system.
●Authentication:- Being able to prove that a user or application is
genuinely who that person or what that application claims to be.
●Access Control:- Protects critical resources in a system by limiting
access only to authorised users and their applications. It prevents
unauthorised use of a resource or the use of a resource in an
unauthorised manner.
●Auditing:- Tracking who has done what to what and when
7. ●
Security Overview
●Confidentiality:- Protects sensitive information from unauthorised
disclosure.
●Data Integrity:- Detects whether there has been unauthorised
modification of data. There are two ways in which this can
occur,accidentally, through hardware or transmission errors, or by
deliberate attack.
●'Non-Repudiation':- The goal is usually to prove that a particular
message is associated with a particular individual.
8. WebSphere MQ for z/OS (non Queue Sharing
groups)
z/OS z/OS
IMS CICS IMS CICS
Batch
APPL
Batch
APPL
IMS
APPL
CICS
APPL
CICS
APPL
IMS
APPL
Queue
Manager A
Queue
Manager B
MOVE
R
MOVE
R
A1 A2
B2
B1
links to other MQ systems
9. WebSphere MQ for z/OS Queue Sharing Groups
QSG IMS
mover
mover
mover
SQM1
SQM2
SQM3
local
pagesets
local
pagesets
local
logs
local
logs
local
logs
local
pagesets
CICS
BATCH
mover
LQM1
local
logs
z/OS
local
pagesets
DB2
MQ
CF
SQ1
MQ
10. Security Overview
SAF to provide choice of External Security Manager
- RACF, ACF2, Top Secret, ...
- WebSphere MQ has a set of classes to hold profiles
- Profiles provide access control capabilities
Features depend upon profiles used
- z/OS control is more granular than other systems
Activate classes, and allow generic profiles
WebSphere MQ
WebSphere
MQ
PROFILES
WebSphere
MQ
PROFILES
External Security Manager
SAF
- SETROPTS CLASSACT(...)
- SETROPTS GENERIC(...)
12. Security Overview - continued...
WebSphere MQ mixed case RACF Classes
MXADMIN - Switch profiles, Command resource,
Context and Alternate User profiles
MXQUEUE - Queue profiles
MXPROC - Process profiles
MXNLIST - Namelist profiles
MXTOPIC - Topic profiles
Note: There are no MX... versions of the MQCONN and
MQCMDS classes
14. Controlling Security
RACF Classes
High Level Qualifiers
Shared Queue Manager Environment
Security Switches
- Switch profiles
- Options available under Queue Sharing Groups
Queue Sharing Group rules
15. Controlling Security - RACF Classes
What determines which classes are used?
ƒ Queue manager attribute
SCYCASE
This can be set to either
UPPER - the default on migration and on a new Qmgr, this
uses the MQ...versions of the classes (plus MXTOPIC)
MIXED - this uses the MX...versions of the classes
MQ... and MX... classes are mutually exclusive except for
MXTOPIC can be used whether SCYCASE(UPPER) or
SCYCASE(MIXED) is specified as there is no MQ...version !
16. Controlling Security - RACF Classes
What can be mixed case in an MX... class ?
ƒ the 'resourcename' part of a profile in one of the following
classes
MXADMIN
hlq.CONTEXT.resourcename
hlq.QUEUE.resourcename
MXPROC, MXNLIST and MXQUEUE
hlq.resourcename
MXTOPIC
hlq.SUBSCRIBE.resourcename
hlq.PUBLISH.resourcename
17. Controlling Security - RACF Classes
How do you change the classes you are using?
ƒ the Queue manager attribute
SCYCASE
This can be set to either
UPPER - the default on migration and on a new Qmgr, this
uses the MQ...versions of the classes (plus MXTOPIC)
MIXED - this uses the MX...versions of the classes
ƒ issue a REFRESH SECURITY command ( more later )
BUT first :-
Ensure you have all the RACF profiles defined that you need in
the appropriate classes
18. Controlling Security - High Level Qualifiers
Queue Manager qualified profiles
Queue Manager profiles use the queue manager name as the high
level qualifier for example:- qmgr.profile.name and their scope is
limited to the named Qmgr.
Queue Sharing Group qualified profiles
Queue sharing group profiles will use the queue sharing group id as
their high level qualifier instead of a queue manager name for
example: - qsg.profile.name and their scope is the named Queue
Sharing Group.
19. Controlling Security - Shared Queue Manager Environment
DB2
● Setting up Resources in DB2
● Connection to DB2
● Access to DB2 resources
●
Coupling Facility
● Setting up the Coupling Facility
● Access to the Coupling Facility
Queue Sharing Groups (QSG)
● Setting up QSG's
● Joining a QSG
20. Controlling Security - Switch Profiles
Granular control of security
checking
Subsystem security
hlq.NO.SUBSYS.SECURITY
Qmgr or QSG Security
hlq.NO.QMGR.CHECKS
hlq.NO.QSG.CHECKS
In QSG also have 'YES' switch
profiles
ssid.YES.type
These profiles are only used if you
have chosen to have both Qmgr and
QSG checking active and need to
override a Qsg level profile on a
given Qmgr.
The hlq on these profiles is always
'ssid' - in other words the qmgr ID
** You cannot set both QMGR & QSG to OFF together - if you try this you will get
both Qmgr and Qsg security activated **
21. Controlling Security - Switch Profiles
Connection Security
hlq.NO.CONNECT.CHECKS
MQ Command Security
hlq.NO.CMD.CHECKS
hlq.NO.CMD.RESC.CHECKS
MQ API Security
hlq.NO.QUEUE.CHECKS
hlq.NO.PROCESS.CHECKS
hlq.NO.NLIST.CHECKS
hlq.NO.CONTEXT.CHECKS
hlq.NO.ALTERNATE.USER.CHECKS
hlq.NO.TOPIC.CHECKS
All defined in the MQADMIN class or MXADMIN class
All switch profiles are uppercase regardless of class
22. Controlling Security - Security Switch options
QMGR
Local
QMGR?
Shared
QMGR?
Qmgr
only
QMGR
only?
QSG
only?
QMGR
& QSG?
Not QSG
● ssid only
Queue Sharing Group
● Up to three profiles looked for
● when checking for:
Subsystem security
Queue Manager security
QSG security
23. Controlling Security - Security Switch options
Qmgr
local shared
qmgr qmgr
ssid.NO.SUBSYS.SECURITY
qsg.NO.SUBSYS.SECURITY
ssid.YES.SUBSYS.SECURITY
not found
not found
found
found
set Subsys security
OFF on this qmgr
found not found
ssid.NO.SUBSYS.SECURITY
found not found
Set Subsys
security OFF
on this qmgr
set Subsys
security ON
on this qmgr
set Subsys
security OFF
on this qmgr
set subsys
security ON
on this qmgr
set Subsys security
ON
on this qmgr
1
2
3
24. Controlling Security - Security Switch options
Shared Queue Environment
subsys
ssid.NO.QMGR.CHECKS
qsg.NO.QMGR.CHECKS
set QMGR
security OFF
on this qmgr
ssid.YES.QMGR.CHECKS
not found
not found
found
found
found not found
set QMGR
security OFF
on this qmgr
set QMGR
security ON
on this qmgr
set QMGR
security ON
on this qmgr
ON 4
5
6
25. Controlling Security - Switch Options
Shared Queue Environment
subsys
ssid.NO.QSG.CHECKS
qsg.NO.QSG.CHECKS
set QSG security
OFF on this qmgr
ssid.YES.QSG.CHECKS
not found
not found
found
found
found not found
set QSG security
OFF on this qmgr
set QSG security
ON on this qmgr
set QSG security
ON on this qmgr
ON 7
8
9
26. Controlling Security - Queue Sharing Groups
Rules
default is check ssid profiles before qsg profiles
● ssid.YES switch profiles override qsg.NO switch profiles
● QMGR checks switch ON / QSG checks switch OFF means ONLY profiles with a
hlq of ssid will be used
● QSG checks switch ON / QMGR checks switch OFF means ONLY profiles with hlq
of qsg will be used
You cannot set security OFF by setting both QMGR & QSG checking OFF together -
it will default both ON
Once the QMGR and QSG switches have been determined then the remaining
switch profiles are checked following the QMGR/QSG rules
Once the Shared Queue Manager is up and running all security checks are
governed by the setting of the individual switch for that type of security and the
QMGR/QSG switch state
If both QMGR and QSG switches are ON then a hlq of ssid will be used first and if
not found then a hlq a qsg will be used on the security check
28. Access Control
Connection Security
Reslevel Security
API security
● covering profiles and userids checked
Link Level Security
29. Access Control - Connection security
Profiles are held in the MQCONN class
● One profile per adapter type
hlq.BATCH
hlq.CICS
hlq.IMS
hlq.CHIN
Connection type Userid used
Batch The TSO Userid
READ access required by adapter
Connection profiles are always uppercase
The Userid assigned to the batch job via the USER JCL parm
The Userid assigned to the started task by the STARTED class or
the started procedures table
CICS The CICS address space Userid
IMS The IMS region Userid
Channel Initiator The Channel Initiator address space Userid
30. Access Control - RESLEVEL Profile
Single profile per Queue Manager or Queue Sharing Group in
the MQADMIN class or MXADMIN class and looks like
hlq.RESLEVEL
Controls the number of userids used for access control on
MQ API Resource Security
Executing userids access to RESLEVEL profile determines
the number of userids - last for the life of that connection
The RESLEVEL profile is always uppercase
31. Access Control - MQ API Security
Access to Resources
This can be controlled by more than one profile and can
involve several security checks depending on the set up.
Profiles used for Resource security checking are held in
the following classes
MQPROC or MXPROC - Processes
MQNLIST or MXNLIST - Namelists
MQQUEUE or MXQUEUE - Queues
MQADMIN or MXADMIN - Context and Alternate Userids
MXTOPIC - Topics
32. Access control - MQ API Security
Processes and Namelists Security - are opened for inquiry only
MQPROC or MXPROC class - profiles look like
hlq.processname
READ access required by userid(s)
In the MXPROC class 'processname' can be mixed case
MQNLIST or MXNLIST class- profiles look like
hlq.namelistname
READ access required by userid(s)
In the MXNLIST class 'namelistname' can be mixed case
33. Access Control - MQ API Security
Queue Security
Profiles are held in the MQQUEUE or MXQUEUE class and
look like
hlq.resourcename
In the MXQUEUE class 'resourcename' can be mixed case
A profile can protect
a single Local queue on a local Qmgr
several Local queues of the same name on different
Shared qmgrs in a QSG
a single Shared queue in a QSG
a remote qmgr for fully qualified Remote Queues
except cluster queues !
34. Access Control - MQ API Security - Queues
Access required to the profile is dependent upon the
MQOPEN, MQPUT1, or MQSUB options
Option Access required
Inquire, browse READ
Set ALTER
All others (including all
UPDATE
context options)
DEFINE SUB command can cause a security check against a queue to
take place
Access granularity on z/OS is different to that on distributed
platforms, it is not as granular.
MQGET has the same access as MQPUT, so if you need to distinguish
between 'putters' and 'getters' you can use alias queues to do this.
35. Access Control - MQ API Security - Queues
Queues that may required additional consideration
Dynamic queues
MQOPEN for dynamic queues require access to multiple
profiles Model queue profile and Dynamic queue profile
MQCLOSE checking for permanent dynamic queues
Alias Queues
Alias queues that resolve to topics are different to Alias
queues that resolve to queues
Dead Letter Queues
System Queues
Remote Queues
Managed Queues
No security checks
36. Access Control - MQ API Security - Topics
Topic Security
Profiles are held in the MXTOPIC class and look like
hlq.SUBSCRIBE.resourcename
hlq.PUBLISH.resourcename
In the MXTOPIC class 'resourcename' can be mixed case
Checks take place
When an application Subscribes or Publishes to a Topic using an
MQSUB, MQOPEN or MQPUT1
When an application close removes a subscription using an
MQCLOSE
37. Access Control - MQ API Security - Topics
Access required to the profile is dependent upon the
MQSUB options:-
Option Access required
Resume READ
Create or Alter ALTER
Nearest parent Topic object resource that has security
associated with it that is checked
may involve more than one check, depends on the structure
of the topic tree
38. Access control - MQ API Security
MQADMIN or MXADMIN class - the profiles look like
hlq.CONTEXT.queuename
Controls access to MQMD context fields
Access required to profile is dependent upon which context
options are requested on the MQOPEN or MQPUT1 call
Determines if the MQSD context fields are used on MQSUB
In MXADMIN 'queuename' can be mixed case
hlq.ALTERNATE.USER.alternateuserid
Controls the use of an alternate userid
To use an alternate userid you need UPDATE access to
appropriate profile. You should have one profile per Queue
Manager or Qsg per alternate userid
In MXADMIN alternate userid profiles are always uppercase
39. Access Control - API Security - Userids
All API access control is userid based and Userids are
environment dependent
Batch - Job Userid
CICS - Address space userid, Transaction userid
IMS - Address space userid, 'Second' userid
Mover - Channel Userid, MCA Userid
IGQ - Intra-group Queuing Userid, Sending Queue Manager
Userid
All have the possibility of using an Alternate Userid too
the userid from the MQMD UserIdentifier field of the message
the userid from the MQSD AlternateUserid field on an MQSUB
request
RESLEVEL profile controls number of userids checked
40. How to read User ID Tables
1 check 2 checks
Profile name
ssid.ALTERNATE.USER.alternateuseri
ds
--
-
sid.CONTEXT.queuenam
e
ssid.resourcename ID1
ID1+ID2
ID1+ID2
ID1
--
-
Question to choose
1 check
Key:
NO YES
ID1
ID1
ID1
ID1+ID2
ID1+ID2
ID1+ALT
column
1
Alternate Userid specified on Open or Sub?
2 checks
2
RESLEVEL to
determine
number of
checks
RACF access level Level of checking
NONE Check two userids
READ Check one userid
UPDATE Check one userid
CONTROL No Check
ALTER No Check
Key details actual user
IDs 3
41. Access Control - Userids - Channel Security
Choice dependant on PUTAUT (DEF|CTX|ONLYMCA|ALTMCA)
MCA User ID(MCA)
The userid specified for the MCAUSER channel attribute at the receiver, if
blank , the channel initiator address space userid of the receiver or requester
side. Can also be set by CHLAUTH records.
Channel user ID (CHL)
Receiving channel using TCP/IP
Userid of the channel Initiator address space of the receiver or requester end if PUTAUT
parameter set to DEF or CTX.
Receiving channel using APPC(LU6.2)
Requester/server channels - started from the requester, userid of the Channel Initiator
address space of the receiver or requester end is used
Other channel types - the userid received from the communications system is used. If a
Userid received is blank , or no userid is received then a channel userid of blank is used.
42. Access Control - Userids - Channel Security
Channel user ID (CHL) cont.
● MCA Userid of the receiver or requester is used if PUTAUT set to
ONLYMCA or ALTMCA.
● SSL derived Userid if SSL is set on channel
Alternate User ID (ALT)
● The userid specified in the UserIdentifier field in the message
descriptor of the message
43. Userids - Client Channel Security
Choice dependant on PUTAUT
MCA User ID (MCA)
ƒ The userid specified for the MCAUSER channel attribute of the server-connection,
if blank, the user received from the client is used, if none
sent, the channel initiator address space userid is used. Can also be
set by CHLAUTH records.
ƒ The client will send the logged on user ID.
For 'old' clients user ID provided with MQ_USER_ID environment variable
For Java use MQEnvironment.userID
Channel user ID (CHL)
ƒ As for MCA channels
Alternate User ID (ALT)
ƒ The userid specified in the UserIdentifier field in the message
descriptor of the message
44. Access Control - Userids - IGQ security
IGQAUT (DEF|CTX|ONLYIGQ|ALTIGQ)
Intra-Group Queuing user ID (IGQ)
● The user ID determined by the IGQUSER attribute of the receiving queue
manager.
If this is set to blanks, the user ID of the receiving queue manager is used.
However because the receiving queue manager has authority to access all
queues defined to it, security checks are not performed from the receiving
queue manager's user ID.
Sending queue manager user ID (SND)
● The user ID of the queue manager within the queue- sharing group that put the
message on to the SYSTEM.QSG.TRANSMIT.QUEUE
Alternate User ID (ALT)
● The user ID specified in the UserIdentifier field in the message descriptor of the
message
45. MQ Command Security - Two Types
MQCMDS class - profiles look like
● hlq.verb.pkw
e.g.
● hlq.DEFINE.QLOCAL
● hlq.DEFINE.CHANNEL
Access required to profile is depends
upon the verb and is usually ALTER or
CONTROL
Controls who is allowed to issue each
individual command
Profiles always uppercase
MQSC and PCF
MQADMIN or MXADMIN class
- command resource profiles
look like
● hlq.type.resourcename
e.g.
● hlq.QUEUE.queuename
● hlq.CHANNEL.channelname
Access required to profile depends
upon the verb and is usually ALTER or
CONTROL
Controls which resources a user can
issue given commands against
'resourcename' can be mixed in
MXADMIN
MQSC and PCF
Together they allow very granular control over MQ commands
46. Access control - Command Security - Userids..
Command checking, Cmd Resource checking
ƒCSQINP1 & CSQINP2 - no checks
ƒSystem Command Queue - MQMD.UserIdentifier
ƒConsole - Console userid
ƒSDSF/TSO - TSO, address space userid
ƒCSQUTIL - address space userid
ƒCSQINPX - Channel Initiator address space userid
Access required to system queues
47. WebSphere MQ Security - Link Level Security -
Solutions
hhhhhhhh Hash
Function
Security Problems
Eavesdropping
Symmetric Key Cryptography
Plaintext
●Tampering
Hash Function
CRL checking
C.R.L.
Alice
Using WebSphere MQ
SSLCIPH(RC4_MD5_US)
SSLKEYR(QM1KEYRING)
SSLPEER('O=IBM')
SSLCAUTH(REQUIRED)
SSLCRLNL(LDAPNL)
A
Private
A
Public
Asymmetric Keys
Alice's Digital
Certificate
CA Sig
Digital Certificates
Impersonation
SSL
51. Administration - MQ Commands - DISPLAY
DISPLAY SECURITY ALL|INTERVAL|SWITCHES|TIMEOUT
Displays the current security settings active on your queue manager.
Includes a message which will show either:
CSQH001I !MQ19 CSQHINSQ Security using uppercase classes
or
CSQH001I !MQ19 CSQHINSQ Security using mixed case classes
Shows which security switches are ON/OFF:
CSQH024I !MQ19 CSQHIS1C TOPIC security switch set ON, profile
'MQ19.NO.TOPIC.CHECKS' not found
or
CSQH021I !MQ19 CSQHIS1C TOPIC security switch set OFF, profile
'MQ19.NO.TOPIC.CHECKS' found
52. Administration - MQ Commands - REFRESH
REFRESH SECURITY
(*|MQADMIN,MQQUEUE,MQPROC,MQNLIST,MXADMIN,MXQUEUE,
MXPROC,MXNLIST,MXTOPIC)
TYPE
(CLASSES|AUTHSERV|SSL|CONNAUTH)
Command qualifier
* default
TYPE
CLASSES - default on z/OS
AUTHSERV - default on non z/OS platforms
SSL - refreshes cached view of the SSL key repository, locations of
LDAP servers for Certificate Name Revocation and the key
repository
CONNAUTH - Refreshes the cached view of the configuration for
connection authentication.
53. Administration - MQ Commands - REFRESH
You can only issue a REFRESH command for a class that
matches the case that is currently set in the Queue manager
SCYCASE parameter
CSQH013E !MQ19 CSQHSREF case conflict for class 'classname'
If you change information in any of the RACF MQ Classes you
must issue the following
SETROPTS RACLIST(classname,classname,...) REFRESH
SETROPTS GENERIC(classname,classname,...) REFRESH
in addition to the MQ Refresh command to pick up the changes to
the RACF profiles
55. Administration - Security Messages
Security Messages are issued during
Qmgr Startup
Security Messages written at startup
Refresh Security
Security messages written during Refresh
Display Security
Shortened messages issued during Display to fit in with
panels
56. Administration - RESLEVEL Auditing
Reslevel Auditing
ZPARM parameter RESAUDIT(YES/NO)
Determines whether a RACF RACROUTE REQUEST=AUDIT
request is performed for each RESLEVEL inquiry that takes
place. This request produces General Audit records (event
number 27).
60. Miscellaneous - IMS Bridge - continued...
FACILITY class
IMSXCF.xcfgname.xcfmname
1WebSphere MQ/IMS connection security
ƒ IMSXCF.xcfgname.WebSphere MQ_member_name
ƒ WebSphere MQ userid requires READ access to this
profile
2 IMS level of authentication - application level
ƒ IMSXCF.xcfgname.IMS_member_name
ƒ Security processing dependent upon WebSphere MQ's
access to this profile
/SECURE OTMA
ƒ Controls userid processing done by IMS
WebSphere MQ system parameters
ƒ CSQ6SYSP ... OTMACON=(,,,Age,)
61. Miscellaneous - IMS Bridge - continued...
PassTickets
ƒ The PassTicket application name to validate against is specified on
the storage class definition (PASSTKTA of STGCLASS)
ƒ If no value is specified then no value passed to RACF
ƒ As storage class definition is QSGDISP(LOCAL) the value is taken
from the Qmgr so for Shared Queues each Qmgr can specify the
same or a different value
ƒ Application name can be anything acceptable to RACF - as per rules
of PTKTDATA class
62. Miscellaneous - CICS 3270 Bridge
WebSphere MQ CICS/TS
Userid/Password supplied to 3270 transaction
Password verified if present
Surrogate checking otherwise
BRIDGE
MONITOR
3270 TRAN
Unit of Work
TERMiNAL
CONTROL
CMDS
INQ/SET
TERMINAL
Bridge
Exit
Formatter
Browse
Reply
MQGET
START BREXIT( ... ) TRANSID( ... )
BRIDGE FACILITY