To enable complete security, insert the following GSO SAFDEF record:
SET C(GSO)
INSERT SAFDEF.mqm ID(mqm) FUNCRET(8) RETCODE(4) MODE(IGNORE) -
RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP
Using this approach enables all aspects of MQM's external security. If you wish a more selective approach, you can use switch profiles to enable the specific areas of MQM that you determine need security controls. The following is a list of the switch profiles. (Consult the MQM documentation for an explanation of switch profiles and a complete list of them.)
MQ_mgr_name.NO.ALTERNATE.USER.CHECKS
MQ_mgr-name.NO.CMD.CHECKS
MQ_mgr_name.NO.CONNECT.CHECKS
MQ_mgr_name.NO.CONTEXT.CHECKS
MQ_mgr_name.NO.CMD.RESC.CHECKS
MQ_mgr_name.NO.NLIST.CHECKS
MQ_mgr_name.NO.PROCESS.CHECKS
MQ_mgr_name.NO.QUEUE.CHECKS
MQ_mgr_name.NO.SUBSYS.SECURITY
The MQ_mgr_name represents the MQM subsystem name. Change this to the to the name assigned to MQSeries queue manager at your location. For example, inserting the following SAFDEF records enables only connect security:
SET C(GSO)
INSERT SAFDEF.mqml ID(mqm1) FUNCRET(8) RETCODE(4) MODE(IGNORE) REP RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,ENTITYX=mqmn.NO.SUBSYS.SECURITY)
INSERT SAFDEF.mqm2 ID(mqm2) FUNCRET(8) RETCODE(4) MODE(IGNORE) REP RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,ENTITYX=mqmn.NO.CONNECT.CHECKS)
These SAFDEF records return a NOT FOUND condition to MQM. The negative logic is that if NO.SUBSYS.SECURITY is not found, subsys security is active; if NO.CONNECT.CHECKS is not found, connection security is active. Insert similar SAFDEF records for each switch profile that you want enabled. Always insert the SAFDEF for NO.SUBSYS.SECURITY when using switch profiles. To disable security, delete the SAFDEF records you inserted and then issue the CA-ACF2 REFRESH command for the SAFDEF records.
Administering CA-ACF2 Security Records for MQM
Once you create the necessary SAFDEF records to enable security for MQM, follow these steps to ensure that eTrust CA-ACF2 performs the appropriate validation:
- Insert the following GSO CLASMAP records choosing a three-character resource type code for each MQM resource class.
SET C(GSO)
INSERT CLASMAP.mqadmin RESOURCE(MQADMIN) RSRCTYPE(mqa) ENTITYLN(62)
INSERT CLASMAP.mqconn RESOURCE(MQCONN) RSRCTYPE(mqk) ENTITYLN(10)
INSERT CLASMAP.mqcmds RESOURCE(MQCMDS) RSRCTYPE(mqc) ENTITYLN(22)
INSERT CLASMAP.mqqueue RESOURCE(MQQUEUE) RSRCTYPE(mqq) ENTITYLN(53)
INSERT CLASMAP.mqproc RESOURCE(MQPROC) RSRCTYPE(mqp) ENTITYLN(53)
INSERT CLASMAP.mqnlist RESOURCE(MQNLIST) RSRCTYPE(mqn) ENTITYLN(53)
INSERT CLASMAP.mxnlist RESOURCE(MXNLIST) RSRCTYPE(mxn) ENTITYLN(53)
INSERT CLASMAP.mxtopic RESOURCE(MXTOPIC) RSRCTYPE(mxt) ENTITYLN(246)
INSERT CLASMAP.mxadmin RESOURCE(MXADMIN) RSRCTYPE(mxa) ENTITYLN(62)
INSERT CLASMAP.mxqueue RESOURCE(MXQUEUE) RSRCTYPE(mxq) ENTITYLN(53)
INSERT CLASMAP.mxproc RESOURCE(MXPROC) RSRCTYPE(mxp) ENTITYLN(53)
- Add the resource type codes to the INFODIR record.
SET C(GSO)
CHANGE INFODIR TYPES(r-rmqa, r-rmqk, r-rmqc, r-rmqq, r-rmqp, r-rmqn, r-rmxn, r-rmxt, r-rmxa, r-rmxq, r-rmxp) add
After adding or changing rules the resident directories should be rebuilt for the appropriate resource type code. For example:
F ACF2,REBUILD(mqa)
- Write resource rules. The following example shows how to write a rule to secure the MQADMIN resource class:
SET R(mqa)
COMPILE * STORE
$KEY(mqmn) TYPE(mqa)
context UID(user1) ALLOW
reslevel UID(*) SERVICE(update) ALLOW
alternate.user.- UID(user2) ALLOW
The following example shows how to write a rule to secure the MQCONN connection resource class:
SET R(mqk)
COMPILE * STORE
$KEY(mqmn) TYPE(mqk)
batch UID(user1) ALLOW
cics UID(user2) ALLOW
- Define a logonid for each MQM address space using the following as an example:
SET LID
INSERT mqmnmstr MUSASS NON-CNCL STC
MQM processing can use a default logonid. CA-ACF2 validates these requests using the batch default logonid. If that is not appropriate, use the MUSDLID logonid field to assign a specific default logonid to use for each MQM region as follows
SET LID
CHANGE mqmnmstr MUSDLID(mqmdflt)
INSERT mqmdflt RESTRICT NAME(mqm default lid)
CA-ACF2 security for MQM deviates from the MQM documentation in these respects:
- You can mask the subsystem value for your MQM queue manager in CA-ACF2 resource rules.
- GSO SAFDEF records support switch profiles as explained above.
- You cannot use XREF resource grouping for the MQQUEUE resource class or any other validation invoked through a RACROUTE FASTAUTH request.
- Audit records are reported on the ACFRPTRV report as trace records.
- RESLEVEL access checking requires SAF access levels. The correspondence between SAF access levels and CA-ACF2 SERVICE levels are as follows:
SAF ACCESS CA-ACF2 SERVICE LEVEL
READ READ
UPDATE UPDATE
CONTROL DELETE
ALTER ADD
The RESLEVEL resource specifies the level of MQM security in effect for a job. The level of access granted to the MQADMIN resource named mqmn.RESLEVEL is used to determine the level of MQM security for that user or CICS region. Giving READ or no-access to the mqmn.RESLEVEL resource means the user or CICS region follows full, normal MQM security checking. Giving a logonid ALTER authority to this resource, exempts the user or CICS region for all further MQM security checking. This can result in a problem for CICS regions in which the region logonid has NON-CNCL specified. NON-CNCL always indicates ALTER authority to the RESLEVEL check. MQM processing then bypasses security checking for that region. To avoid this, insert a SAFDEF record that overrides the validation return codes for the RESLEVEL check. A sample SAFDEF record follows:
SAFDEF.mqmres1 ID(mqmres1) MODE(IGNORE) JOB(cicsjob) RETCODE(0) FUNCRET(20) FUNCRSN(n) RACROUTE(REQUEST=AUTH,CLASS=MQADMIN,ENTITYX=mqmn.RESLEVEL) REP
Where n represents the level of access desired. Valid values are:
RC Access Level Level of Checking
0 No access Check the job/TSO (or alternate) user ID.
4 READ access Check the job/TSO (or alternate) user ID.
8 UPDATE access Check the job/TSO (or alternate) user ID.
12 CONTROL access No check.
16 ALTER access No check.
cicsjob represents the job or jobs for which this access is desired. Omit this parameter if all jobs require the same access level.
- IMS OTMA, Open Transaction Manager Access, is a transaction-based connectionless client/server protocol. MQSeries can be an OTMA client that sends transactions to an IMS server. MQSeries issues the following RACROUTE call to see if a security token should be passed to the server:
RACROUTE REQUEST=AUTH,CLASS='FACILITY',RELEASE=1.9,STATUS=WRITEONLY,
ATTR=READ,DSTYPE=N,ENTITYX=('IMSXCF.xcfgname.xcfmname',NONE),
FILESEQ=0,GENERIC=ASIS,LOG=ASIS,MSGSP=0,TAPELBL=STD,WORKA=
Where xcfgname is the XCF group name and xcfmname is the XCF member name of MQSeries.
A user token is propagated only if return/reason code 0/20:8 is returned on the RACROUTE call. The client can write a FACILITY resource rule with SERVICE(UPDATE) to give the desired reason code. Since most sites have the MQM master address space logonid defined as NON-CNCL, they will see a 0/20:16 in a SECTRACE. For this reason code, insert the following SAFDEF to get the desired SAF/RFR, adjusting the USERID below to your MQ master address space logonid:
SET CONTROL(GSO)
INSERT SAFDEF.OTMA1 ID(OTMA1) RETCODE(0) FUNCRET(20) FUNCRSN(8) -
RACROUTE(REQUEST=AUTH,CLASS=FACILITY,ENTITYX=IMSXCF.-) -
USERID(mqmnmstr) MODE(IGNORE) REP
F ACF2,REFRESH(SAFDEF)