The following is the information necessary to setup and use external security for MQSeries (MQM) in an CA-ACF2 environment. By default, CA-ACF2 does not secure MQM. You can choose to secure MQM using the CA SAF interface.

To enable complete security, insert the following GSO SAFDEF record:

SET C(GSO)
INSERT SAFDEF.mqm ID(mqm) FUNCRET(8) RETCODE(4) MODE(IGNORE) -
RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP

Using this approach enables all aspects of MQM's external security. If you wish a more selective approach, you can use switch profiles to enable the specific areas of MQM that you determine need security controls. The following is a list of the switch profiles. (Consult the MQM documentation for an explanation of switch profiles and a complete list of them.)

MQ_mgr_name.NO.ALTERNATE.USER.CHECKS
MQ_mgr-name.NO.CMD.CHECKS
MQ_mgr_name.NO.CONNECT.CHECKS
MQ_mgr_name.NO.CONTEXT.CHECKS
MQ_mgr_name.NO.CMD.RESC.CHECKS
MQ_mgr_name.NO.NLIST.CHECKS
MQ_mgr_name.NO.PROCESS.CHECKS
MQ_mgr_name.NO.QUEUE.CHECKS
MQ_mgr_name.NO.SUBSYS.SECURITY

The MQ_mgr_name represents the MQM subsystem name. Change this to the to the name assigned to MQSeries queue manager at your location. For example, inserting the following SAFDEF records enables only connect security:

SET C(GSO)
INSERT SAFDEF.mqml ID(mqm1) FUNCRET(8) RETCODE(4) MODE(IGNORE) REP RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,ENTITYX=mqmn.NO.SUBSYS.SECURITY)

INSERT SAFDEF.mqm2 ID(mqm2) FUNCRET(8) RETCODE(4) MODE(IGNORE) REP RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,ENTITYX=mqmn.NO.CONNECT.CHECKS)

These SAFDEF records return a NOT FOUND condition to MQM. The negative logic is that if NO.SUBSYS.SECURITY is not found, subsys security is active; if NO.CONNECT.CHECKS is not found, connection security is active. Insert similar SAFDEF records for each switch profile that you want enabled. Always insert the SAFDEF for NO.SUBSYS.SECURITY when using switch profiles. To disable security, delete the SAFDEF records you inserted and then issue the CA-ACF2 REFRESH command for the SAFDEF records.

Administering CA-ACF2 Security Records for MQM

Once you create the necessary SAFDEF records to enable security for MQM, follow these steps to ensure that eTrust CA-ACF2 performs the appropriate validation:

1. Insert the following GSO CLASMAP records choosing a three-character resource type code for each MQM resource class.
   
   SET C(GSO)
   INSERT CLASMAP.mqadmin RESOURCE(MQADMIN) RSRCTYPE(mqa) ENTITYLN(62)
   INSERT CLASMAP.mqconn RESOURCE(MQCONN) RSRCTYPE(mqk) ENTITYLN(10)
   INSERT CLASMAP.mqcmds RESOURCE(MQCMDS) RSRCTYPE(mqc) ENTITYLN(22)
   INSERT CLASMAP.mqqueue RESOURCE(MQQUEUE) RSRCTYPE(mqq) ENTITYLN(53)
   INSERT CLASMAP.mqproc RESOURCE(MQPROC) RSRCTYPE(mqp) ENTITYLN(53)
   INSERT CLASMAP.mqnlist RESOURCE(MQNLIST) RSRCTYPE(mqn) ENTITYLN(53)
   INSERT CLASMAP.mxnlist RESOURCE(MXNLIST) RSRCTYPE(mxn) ENTITYLN(53)
   INSERT CLASMAP.mxtopic RESOURCE(MXTOPIC) RSRCTYPE(mxt) ENTITYLN(246)
   INSERT CLASMAP.mxadmin RESOURCE(MXADMIN) RSRCTYPE(mxa) ENTITYLN(62)
   INSERT CLASMAP.mxqueue RESOURCE(MXQUEUE) RSRCTYPE(mxq) ENTITYLN(53)
   INSERT CLASMAP.mxproc RESOURCE(MXPROC) RSRCTYPE(mxp) ENTITYLN(53)
    
2. Add the resource type codes to the INFODIR record.
   
   SET C(GSO)
   CHANGE INFODIR TYPES(r-rmqa, r-rmqk, r-rmqc, r-rmqq, r-rmqp, r-rmqn, r-rmxn, r-rmxt, r-rmxa, r-rmxq, r-rmxp) add
   
   After adding or changing rules the resident directories should be rebuilt for the appropriate resource type code. For example:
   
   F ACF2,REBUILD(mqa)
    
3. Write resource rules. The following example shows how to write a rule to secure the MQADMIN resource class:
   
   SET R(mqa)
   COMPILE * STORE
   $KEY(mqmn) TYPE(mqa)
   context UID(user1) ALLOW
   reslevel UID(*) SERVICE(update) ALLOW
   alternate.user.- UID(user2) ALLOW
   
   The following example shows how to write a rule to secure the MQCONN connection resource class:
   
   SET R(mqk)
   COMPILE * STORE
   $KEY(mqmn) TYPE(mqk)
   batch UID(user1) ALLOW
   cics UID(user2) ALLOW
    
4. Define a logonid for each MQM address space using the following as an example:
   
   SET LID
   INSERT mqmnmstr MUSASS NON-CNCL STC
   
   MQM processing can use a default logonid. CA-ACF2 validates these requests using the batch default logonid. If that is not appropriate, use the MUSDLID logonid field to assign a specific default logonid to use for each MQM region as follows
   
   SET LID
   CHANGE mqmnmstr MUSDLID(mqmdflt)
   INSERT mqmdflt RESTRICT NAME(mqm default lid)

CA-ACF2 security for MQM deviates from the MQM documentation in these respects:

1. You can mask the subsystem value for your MQM queue manager in CA-ACF2 resource rules.
    
2. GSO SAFDEF records support switch profiles as explained above.
    
3. You cannot use XREF resource grouping for the MQQUEUE resource class or any other validation invoked through a RACROUTE FASTAUTH request.
    
4. Audit records are reported on the ACFRPTRV report as trace records.
    
   1. RESLEVEL access checking requires SAF access levels. The correspondence between SAF access levels and CA-ACF2 SERVICE levels are as follows:
      
      SAF ACCESS                      CA-ACF2 SERVICE LEVEL
      READ                                              READ
      UPDATE                                         UPDATE
      CONTROL                                      DELETE
      ALTER                                            ADD
      
      The RESLEVEL resource specifies the level of MQM security in effect for a job. The level of access granted to the MQADMIN resource named mqmn.RESLEVEL is used to determine the level of MQM security for that user or CICS region. Giving READ or no-access to the mqmn.RESLEVEL resource means the user or CICS region follows full, normal MQM security checking. Giving a logonid ALTER authority to this resource, exempts the user or CICS region for all further MQM security checking. This can result in a problem for CICS regions in which the region logonid has NON-CNCL specified. NON-CNCL always indicates ALTER authority to the RESLEVEL check. MQM processing then bypasses security checking for that region. To avoid this, insert a SAFDEF record that overrides the validation return codes for the RESLEVEL check. A sample SAFDEF record follows:
      
      SAFDEF.mqmres1 ID(mqmres1) MODE(IGNORE) JOB(cicsjob) RETCODE(0) FUNCRET(20) FUNCRSN(n) RACROUTE(REQUEST=AUTH,CLASS=MQADMIN,ENTITYX=mqmn.RESLEVEL) REP
      
      Where n represents the level of access desired. Valid values are:

      RC        Access Level             Level of Checking
      0     No access        Check the job/TSO (or alternate) user ID.
      4     READ access      Check the job/TSO (or alternate) user ID.
      8     UPDATE access    Check the job/TSO (or alternate) user ID.
      12    CONTROL access   No check.
      16    ALTER access     No check.

      cicsjob represents the job or jobs for which this access is desired. Omit this parameter if all jobs require the same access level.
       
5. IMS OTMA, Open Transaction Manager Access, is a transaction-based connectionless client/server protocol. MQSeries can be an OTMA client that sends transactions to an IMS server. MQSeries issues the following RACROUTE call to see if a security token should be passed to the server:
   
   RACROUTE REQUEST=AUTH,CLASS='FACILITY',RELEASE=1.9,STATUS=WRITEONLY,
   ATTR=READ,DSTYPE=N,ENTITYX=('IMSXCF.xcfgname.xcfmname',NONE),
   FILESEQ=0,GENERIC=ASIS,LOG=ASIS,MSGSP=0,TAPELBL=STD,WORKA=
   
   Where xcfgname is the XCF group name and xcfmname is the XCF member name of MQSeries.
   
   A user token is propagated only if return/reason code 0/20:8 is returned on the RACROUTE call. The client can write a FACILITY resource rule with SERVICE(UPDATE) to give the desired reason code. Since most sites have the MQM master address space logonid defined as NON-CNCL, they will see a 0/20:16 in a SECTRACE. For this reason code, insert the following SAFDEF to get the desired SAF/RFR, adjusting the USERID below to your MQ master address space logonid:
   
   SET CONTROL(GSO)
   INSERT SAFDEF.OTMA1 ID(OTMA1) RETCODE(0) FUNCRET(20) FUNCRSN(8) -
   RACROUTE(REQUEST=AUTH,CLASS=FACILITY,ENTITYX=IMSXCF.-) -
   USERID(mqmnmstr) MODE(IGNORE) REP
   
   F ACF2,REFRESH(SAFDEF)

A further note on MQ Queue Name definitions:

1) The only valid character to separate MQ queue name qualifiers is the '.'

2) All other characters are considered to be part of the qualifier string

3) qualifiers must be 1 to 8 characters in length, 

QUEUE/PART1/PART2/PART3  - this is resolved as one long string 

QUEUE.PART1.PART2.PART3 - if all the values between the '.' are 1 to 8 characters long, each is considered a qualifier, otherwise this is resolved as one long string

QUEUE/PART1.PART2/PART3 - because the values on each side of the '.' are more than 8 characters, this is considered one long string.

As detailed above, all the queues listed above are totally different from each other.