The document provides an overview of security features for WebSphere MQ on z/OS, focusing on user identification, authentication, access control, auditing, and protecting resources. It discusses the use of external security managers, detailed classes for profiles, and granular control for access management. Additionally, it outlines the characteristics of connection, API, and resource-level security, emphasizing the importance of auditing and managing security check configurations.

1. Z5: WebSphere MQ for z/OS
Security
Damon Cross, Advisory Software Engineer
damon_cross@uk.ibm.com

2. © 2014 © 2014 IBM Corporatio InB M Corporation
Please Note
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without
notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our
general product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal
obligation to deliver any material, code or functionality. Information about potential future products may
not be incorporated into any contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion
Performance is based on measurements and projections using standard IBM benchmarks in a controlled
environment. The actual throughput or performance that any user will experience will vary depending
upon many factors, including considerations such as the amount of multiprogramming in the user’s job
stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no
assurance can be given that an individual user will achieve results similar to those stated here.

3. Abstract
T his session will look at how security facilities are
provided on WebSphere MQ for z/OS, including a look
at what security is available, how it is activated/
deactivated, what types of resources can be protected
and an insight as to how WebSphere MQ for z/OS
determines which userids it uses for the checks it
performs.

4. Security Overview
Controlling Security for WebSphere MQ for z/OS
Access Control
Administration
Summary
Agenda

5. Security Overview
Controlling Security for WebSphere MQ for z/OS
Access Control
Administration
Summary
Agenda

6. Security Overview
What are we trying to achieve?
●Identification:- Being able to Identify uniquely a user of a system or an
application that is running in the system.
●Authentication:- Being able to prove that a user or application is
genuinely who that person or what that application claims to be.
●Access Control:- Protects critical resources in a system by limiting
access only to authorised users and their applications. It prevents
unauthorised use of a resource or the use of a resource in an
unauthorised manner.
●Auditing:- Tracking who has done what to what and when

7. ●
Security Overview
●Confidentiality:- Protects sensitive information from unauthorised
disclosure.
●Data Integrity:- Detects whether there has been unauthorised
modification of data. There are two ways in which this can
occur,accidentally, through hardware or transmission errors, or by
deliberate attack.
●'Non-Repudiation':- The goal is usually to prove that a particular
message is associated with a particular individual.

8. WebSphere MQ for z/OS (non Queue Sharing
groups)
z/OS z/OS
IMS CICS IMS CICS
Batch
APPL
Batch
APPL
IMS
APPL
CICS
APPL
CICS
APPL
IMS
APPL
Queue
Manager A
Queue
Manager B
MOVE
R
MOVE
R
A1 A2
B2
B1
links to other MQ systems

9. WebSphere MQ for z/OS Queue Sharing Groups
QSG IMS
mover
mover
mover
SQM1
SQM2
SQM3
local
pagesets
local
pagesets
local
logs
local
logs
local
logs
local
pagesets
CICS
BATCH
mover
LQM1
local
logs
z/OS
local
pagesets
DB2
MQ
CF
SQ1
MQ

10. Security Overview
 SAF to provide choice of External Security Manager
- RACF, ACF2, Top Secret, ...
- WebSphere MQ has a set of classes to hold profiles
- Profiles provide access control capabilities
 Features depend upon profiles used
- z/OS control is more granular than other systems
 Activate classes, and allow generic profiles
WebSphere MQ
WebSphere
MQ
PROFILES
WebSphere
MQ
PROFILES
External Security Manager
SAF
- SETROPTS CLASSACT(...)
- SETROPTS GENERIC(...)

11. Security Overview - continued...
WebSphere MQ Uppercase RACF Classes
MQADMIN - Switch profiles, Command resource, Context and
Alternate User profiles
MQCONN - Connection profiles
MQCMDS - Command profiles
MQQUEUE - Queue profiles
MQPROC - Process profiles
MQNLIST - Namelist profiles

12. Security Overview - continued...
WebSphere MQ mixed case RACF Classes
MXADMIN - Switch profiles, Command resource,
Context and Alternate User profiles
MXQUEUE - Queue profiles
MXPROC - Process profiles
MXNLIST - Namelist profiles
MXTOPIC - Topic profiles
Note: There are no MX... versions of the MQCONN and
MQCMDS classes

13. Security Overview
Controlling Security for WebSphere MQ for z/OS
Access Control
Administration
Summary
Agenda

14. Controlling Security
 RACF Classes
 High Level Qualifiers
 Shared Queue Manager Environment
 Security Switches
- Switch profiles
- Options available under Queue Sharing Groups
 Queue Sharing Group rules

15. Controlling Security - RACF Classes
What determines which classes are used?
ƒ Queue manager attribute
SCYCASE
This can be set to either
UPPER - the default on migration and on a new Qmgr, this
uses the MQ...versions of the classes (plus MXTOPIC)
MIXED - this uses the MX...versions of the classes
MQ... and MX... classes are mutually exclusive except for
MXTOPIC can be used whether SCYCASE(UPPER) or
SCYCASE(MIXED) is specified as there is no MQ...version !

16. Controlling Security - RACF Classes
What can be mixed case in an MX... class ?
ƒ the 'resourcename' part of a profile in one of the following
classes
MXADMIN
hlq.CONTEXT.resourcename
hlq.QUEUE.resourcename
MXPROC, MXNLIST and MXQUEUE
hlq.resourcename
MXTOPIC
hlq.SUBSCRIBE.resourcename
hlq.PUBLISH.resourcename

17. Controlling Security - RACF Classes
How do you change the classes you are using?
ƒ the Queue manager attribute
SCYCASE
This can be set to either
UPPER - the default on migration and on a new Qmgr, this
uses the MQ...versions of the classes (plus MXTOPIC)
MIXED - this uses the MX...versions of the classes
ƒ issue a REFRESH SECURITY command ( more later )
BUT first :-
Ensure you have all the RACF profiles defined that you need in
the appropriate classes

18. Controlling Security - High Level Qualifiers
Queue Manager qualified profiles
Queue Manager profiles use the queue manager name as the high
level qualifier for example:- qmgr.profile.name and their scope is
limited to the named Qmgr.
Queue Sharing Group qualified profiles
Queue sharing group profiles will use the queue sharing group id as
their high level qualifier instead of a queue manager name for
example: - qsg.profile.name and their scope is the named Queue
Sharing Group.

19. Controlling Security - Shared Queue Manager Environment
 DB2
● Setting up Resources in DB2
● Connection to DB2
● Access to DB2 resources
●
 Coupling Facility
● Setting up the Coupling Facility
● Access to the Coupling Facility
 Queue Sharing Groups (QSG)
● Setting up QSG's
● Joining a QSG

20. Controlling Security - Switch Profiles
Granular control of security
checking
Subsystem security
hlq.NO.SUBSYS.SECURITY
Qmgr or QSG Security
hlq.NO.QMGR.CHECKS
hlq.NO.QSG.CHECKS
In QSG also have 'YES' switch
profiles
ssid.YES.type
These profiles are only used if you
have chosen to have both Qmgr and
QSG checking active and need to
override a Qsg level profile on a
given Qmgr.
The hlq on these profiles is always
'ssid' - in other words the qmgr ID
** You cannot set both QMGR & QSG to OFF together - if you try this you will get
both Qmgr and Qsg security activated **

21. Controlling Security - Switch Profiles
Connection Security
hlq.NO.CONNECT.CHECKS
MQ Command Security
hlq.NO.CMD.CHECKS
hlq.NO.CMD.RESC.CHECKS
MQ API Security
hlq.NO.QUEUE.CHECKS
hlq.NO.PROCESS.CHECKS
hlq.NO.NLIST.CHECKS
hlq.NO.CONTEXT.CHECKS
hlq.NO.ALTERNATE.USER.CHECKS
hlq.NO.TOPIC.CHECKS
All defined in the MQADMIN class or MXADMIN class
All switch profiles are uppercase regardless of class

22. Controlling Security - Security Switch options
QMGR
Local
QMGR?
Shared
QMGR?
Qmgr
only
QMGR
only?
QSG
only?
QMGR
& QSG?
 Not QSG
● ssid only
 Queue Sharing Group
● Up to three profiles looked for
● when checking for:
Subsystem security
Queue Manager security
QSG security

23. Controlling Security - Security Switch options
Qmgr
local shared
qmgr qmgr
ssid.NO.SUBSYS.SECURITY
qsg.NO.SUBSYS.SECURITY
ssid.YES.SUBSYS.SECURITY
not found
not found
found
found
set Subsys security
OFF on this qmgr
found not found
ssid.NO.SUBSYS.SECURITY
found not found
Set Subsys
security OFF
on this qmgr
set Subsys
security ON
on this qmgr
set Subsys
security OFF
on this qmgr
set subsys
security ON
on this qmgr
set Subsys security
ON
on this qmgr
1
2
3

24. Controlling Security - Security Switch options
Shared Queue Environment
subsys
ssid.NO.QMGR.CHECKS
qsg.NO.QMGR.CHECKS
set QMGR
security OFF
on this qmgr
ssid.YES.QMGR.CHECKS
not found
not found
found
found
found not found
set QMGR
security OFF
on this qmgr
set QMGR
security ON
on this qmgr
set QMGR
security ON
on this qmgr
ON 4
5
6

25. Controlling Security - Switch Options
Shared Queue Environment
subsys
ssid.NO.QSG.CHECKS
qsg.NO.QSG.CHECKS
set QSG security
OFF on this qmgr
ssid.YES.QSG.CHECKS
not found
not found
found
found
found not found
set QSG security
OFF on this qmgr
set QSG security
ON on this qmgr
set QSG security
ON on this qmgr
ON 7
8
9

26. Controlling Security - Queue Sharing Groups
Rules
 default is check ssid profiles before qsg profiles
● ssid.YES switch profiles override qsg.NO switch profiles
● QMGR checks switch ON / QSG checks switch OFF means ONLY profiles with a
hlq of ssid will be used
● QSG checks switch ON / QMGR checks switch OFF means ONLY profiles with hlq
of qsg will be used
 You cannot set security OFF by setting both QMGR & QSG checking OFF together -
it will default both ON
 Once the QMGR and QSG switches have been determined then the remaining
switch profiles are checked following the QMGR/QSG rules
 Once the Shared Queue Manager is up and running all security checks are
governed by the setting of the individual switch for that type of security and the
QMGR/QSG switch state
 If both QMGR and QSG switches are ON then a hlq of ssid will be used first and if
not found then a hlq a qsg will be used on the security check

27. Security Overview
Controlling Security for WebSphere MQ for z/OS
Access Control
Administration
Summary
Agenda

28. Access Control
 Connection Security
 Reslevel Security
 API security
● covering profiles and userids checked
 Link Level Security

29. Access Control - Connection security
 Profiles are held in the MQCONN class
● One profile per adapter type
hlq.BATCH
hlq.CICS
hlq.IMS
hlq.CHIN
Connection type Userid used
Batch The TSO Userid
 READ access required by adapter
 Connection profiles are always uppercase
The Userid assigned to the batch job via the USER JCL parm
The Userid assigned to the started task by the STARTED class or
the started procedures table
CICS The CICS address space Userid
IMS The IMS region Userid
Channel Initiator The Channel Initiator address space Userid

30. Access Control - RESLEVEL Profile
Single profile per Queue Manager or Queue Sharing Group in
the MQADMIN class or MXADMIN class and looks like
hlq.RESLEVEL
Controls the number of userids used for access control on
MQ API Resource Security
Executing userids access to RESLEVEL profile determines
the number of userids - last for the life of that connection
The RESLEVEL profile is always uppercase

31. Access Control - MQ API Security
Access to Resources
This can be controlled by more than one profile and can
involve several security checks depending on the set up.
Profiles used for Resource security checking are held in
the following classes
MQPROC or MXPROC - Processes
MQNLIST or MXNLIST - Namelists
MQQUEUE or MXQUEUE - Queues
MQADMIN or MXADMIN - Context and Alternate Userids
MXTOPIC - Topics

32. Access control - MQ API Security
Processes and Namelists Security - are opened for inquiry only
MQPROC or MXPROC class - profiles look like
hlq.processname
READ access required by userid(s)
In the MXPROC class 'processname' can be mixed case
MQNLIST or MXNLIST class- profiles look like
hlq.namelistname
READ access required by userid(s)
In the MXNLIST class 'namelistname' can be mixed case

33. Access Control - MQ API Security
Queue Security
Profiles are held in the MQQUEUE or MXQUEUE class and
look like
hlq.resourcename
In the MXQUEUE class 'resourcename' can be mixed case
A profile can protect
 a single Local queue on a local Qmgr
 several Local queues of the same name on different
Shared qmgrs in a QSG
 a single Shared queue in a QSG
a remote qmgr for fully qualified Remote Queues
except cluster queues !

34. Access Control - MQ API Security - Queues
 Access required to the profile is dependent upon the
MQOPEN, MQPUT1, or MQSUB options
Option Access required
Inquire, browse READ
Set ALTER
All others (including all
UPDATE
context options)
DEFINE SUB command can cause a security check against a queue to
take place
Access granularity on z/OS is different to that on distributed
platforms, it is not as granular.
MQGET has the same access as MQPUT, so if you need to distinguish
between 'putters' and 'getters' you can use alias queues to do this.

35. Access Control - MQ API Security - Queues
Queues that may required additional consideration
Dynamic queues
MQOPEN for dynamic queues require access to multiple
profiles Model queue profile and Dynamic queue profile
MQCLOSE checking for permanent dynamic queues
Alias Queues
Alias queues that resolve to topics are different to Alias
queues that resolve to queues
Dead Letter Queues
System Queues
Remote Queues
Managed Queues
No security checks

36. Access Control - MQ API Security - Topics
Topic Security
Profiles are held in the MXTOPIC class and look like
hlq.SUBSCRIBE.resourcename
hlq.PUBLISH.resourcename
In the MXTOPIC class 'resourcename' can be mixed case
Checks take place
When an application Subscribes or Publishes to a Topic using an
MQSUB, MQOPEN or MQPUT1
When an application close removes a subscription using an
MQCLOSE

37. Access Control - MQ API Security - Topics
Access required to the profile is dependent upon the
MQSUB options:-
Option Access required
Resume READ
Create or Alter ALTER
Nearest parent Topic object resource that has security
associated with it that is checked
may involve more than one check, depends on the structure
of the topic tree

38. Access control - MQ API Security
MQADMIN or MXADMIN class - the profiles look like
hlq.CONTEXT.queuename
Controls access to MQMD context fields
Access required to profile is dependent upon which context
options are requested on the MQOPEN or MQPUT1 call
Determines if the MQSD context fields are used on MQSUB
In MXADMIN 'queuename' can be mixed case
hlq.ALTERNATE.USER.alternateuserid
Controls the use of an alternate userid
To use an alternate userid you need UPDATE access to
appropriate profile. You should have one profile per Queue
Manager or Qsg per alternate userid
In MXADMIN alternate userid profiles are always uppercase

39. Access Control - API Security - Userids
All API access control is userid based and Userids are
environment dependent
Batch - Job Userid
CICS - Address space userid, Transaction userid
IMS - Address space userid, 'Second' userid
Mover - Channel Userid, MCA Userid
IGQ - Intra-group Queuing Userid, Sending Queue Manager
Userid
All have the possibility of using an Alternate Userid too
the userid from the MQMD UserIdentifier field of the message
the userid from the MQSD AlternateUserid field on an MQSUB
request
RESLEVEL profile controls number of userids checked

40. How to read User ID Tables
1 check 2 checks
Profile name
ssid.ALTERNATE.USER.alternateuseri
ds
--
-
sid.CONTEXT.queuenam
e
ssid.resourcename ID1
ID1+ID2
ID1+ID2
ID1
--
-
Question to choose
1 check
Key:
NO YES
ID1
ID1
ID1
ID1+ID2
ID1+ID2
ID1+ALT
column
1
Alternate Userid specified on Open or Sub?
2 checks
2
RESLEVEL to
determine
number of
checks
RACF access level Level of checking
NONE Check two userids
READ Check one userid
UPDATE Check one userid
CONTROL No Check
ALTER No Check
Key details actual user
IDs 3

41. Access Control - Userids - Channel Security
Choice dependant on PUTAUT (DEF|CTX|ONLYMCA|ALTMCA)
MCA User ID(MCA)
The userid specified for the MCAUSER channel attribute at the receiver, if
blank , the channel initiator address space userid of the receiver or requester
side. Can also be set by CHLAUTH records.
Channel user ID (CHL)
Receiving channel using TCP/IP
Userid of the channel Initiator address space of the receiver or requester end if PUTAUT
parameter set to DEF or CTX.
Receiving channel using APPC(LU6.2)
Requester/server channels - started from the requester, userid of the Channel Initiator
address space of the receiver or requester end is used
Other channel types - the userid received from the communications system is used. If a
Userid received is blank , or no userid is received then a channel userid of blank is used.

42. Access Control - Userids - Channel Security
 Channel user ID (CHL) cont.
● MCA Userid of the receiver or requester is used if PUTAUT set to
ONLYMCA or ALTMCA.
● SSL derived Userid if SSL is set on channel
 Alternate User ID (ALT)
● The userid specified in the UserIdentifier field in the message
descriptor of the message

43. Userids - Client Channel Security
Choice dependant on PUTAUT
MCA User ID (MCA)
ƒ The userid specified for the MCAUSER channel attribute of the server-connection,
if blank, the user received from the client is used, if none
sent, the channel initiator address space userid is used. Can also be
set by CHLAUTH records.
ƒ The client will send the logged on user ID.
For 'old' clients user ID provided with MQ_USER_ID environment variable
For Java use MQEnvironment.userID
Channel user ID (CHL)
ƒ As for MCA channels
Alternate User ID (ALT)
ƒ The userid specified in the UserIdentifier field in the message
descriptor of the message

44. Access Control - Userids - IGQ security
 IGQAUT (DEF|CTX|ONLYIGQ|ALTIGQ)
 Intra-Group Queuing user ID (IGQ)
● The user ID determined by the IGQUSER attribute of the receiving queue
manager.
If this is set to blanks, the user ID of the receiving queue manager is used.
However because the receiving queue manager has authority to access all
queues defined to it, security checks are not performed from the receiving
queue manager's user ID.
 Sending queue manager user ID (SND)
● The user ID of the queue manager within the queue- sharing group that put the
message on to the SYSTEM.QSG.TRANSMIT.QUEUE
 Alternate User ID (ALT)
● The user ID specified in the UserIdentifier field in the message descriptor of the
message

45. MQ Command Security - Two Types
 MQCMDS class - profiles look like
● hlq.verb.pkw
e.g.
● hlq.DEFINE.QLOCAL
● hlq.DEFINE.CHANNEL
 Access required to profile is depends
upon the verb and is usually ALTER or
CONTROL
 Controls who is allowed to issue each
individual command
 Profiles always uppercase
 MQSC and PCF
 MQADMIN or MXADMIN class
- command resource profiles
look like
● hlq.type.resourcename
e.g.
● hlq.QUEUE.queuename
● hlq.CHANNEL.channelname
 Access required to profile depends
upon the verb and is usually ALTER or
CONTROL
 Controls which resources a user can
issue given commands against
 'resourcename' can be mixed in
MXADMIN
 MQSC and PCF
Together they allow very granular control over MQ commands

46. Access control - Command Security - Userids..
Command checking, Cmd Resource checking
ƒCSQINP1 & CSQINP2 - no checks
ƒSystem Command Queue - MQMD.UserIdentifier
ƒConsole - Console userid
ƒSDSF/TSO - TSO, address space userid
ƒCSQUTIL - address space userid
ƒCSQINPX - Channel Initiator address space userid
Access required to system queues

47. WebSphere MQ Security - Link Level Security -
Solutions
hhhhhhhh Hash
Function
Security Problems
Eavesdropping
Symmetric Key Cryptography
Plaintext
●Tampering
Hash Function
CRL checking
C.R.L.
Alice
Using WebSphere MQ
SSLCIPH(RC4_MD5_US)
SSLKEYR(QM1KEYRING)
SSLPEER('O=IBM')
SSLCAUTH(REQUIRED)
SSLCRLNL(LDAPNL)
A
Private
A
Public
Asymmetric Keys
Alice's Digital
Certificate
CA Sig
Digital Certificates
Impersonation
SSL

48. Security Overview
Controlling Security for WebSphere MQ for z/OS
Access Control
Administration
Summary
Agenda

49. Administration
 MQ commands
 MQ Security Messages
 RESLEVEL auditing

50. Administration - MQ Commands
DISPLAY SECURITY
REFRESH SECURITY
RVERIFY SECURITY
ALTER SECURITY

51. Administration - MQ Commands - DISPLAY
DISPLAY SECURITY ALL|INTERVAL|SWITCHES|TIMEOUT
Displays the current security settings active on your queue manager.
Includes a message which will show either:
CSQH001I !MQ19 CSQHINSQ Security using uppercase classes
or
CSQH001I !MQ19 CSQHINSQ Security using mixed case classes
Shows which security switches are ON/OFF:
CSQH024I !MQ19 CSQHIS1C TOPIC security switch set ON, profile
'MQ19.NO.TOPIC.CHECKS' not found
or
CSQH021I !MQ19 CSQHIS1C TOPIC security switch set OFF, profile
'MQ19.NO.TOPIC.CHECKS' found

52. Administration - MQ Commands - REFRESH
REFRESH SECURITY
(*|MQADMIN,MQQUEUE,MQPROC,MQNLIST,MXADMIN,MXQUEUE,
MXPROC,MXNLIST,MXTOPIC)
TYPE
(CLASSES|AUTHSERV|SSL|CONNAUTH)
Command qualifier
* default
TYPE
CLASSES - default on z/OS
AUTHSERV - default on non z/OS platforms
SSL - refreshes cached view of the SSL key repository, locations of
LDAP servers for Certificate Name Revocation and the key
repository
CONNAUTH - Refreshes the cached view of the configuration for
connection authentication.

53. Administration - MQ Commands - REFRESH
You can only issue a REFRESH command for a class that
matches the case that is currently set in the Queue manager
SCYCASE parameter
CSQH013E !MQ19 CSQHSREF case conflict for class 'classname'
If you change information in any of the RACF MQ Classes you
must issue the following
SETROPTS RACLIST(classname,classname,...) REFRESH
SETROPTS GENERIC(classname,classname,...) REFRESH
in addition to the MQ Refresh command to pick up the changes to
the RACF profiles

54. Administration - MQ Commands
RVERIFY SECURITY(Userid,Userid,...)
ALTER SECURITY INTERVAL(mins) TIMEOUT(mins)
*note - CMDSCOPE

55. Administration - Security Messages
Security Messages are issued during
Qmgr Startup
Security Messages written at startup
Refresh Security
Security messages written during Refresh
Display Security
Shortened messages issued during Display to fit in with
panels

56. Administration - RESLEVEL Auditing
Reslevel Auditing
ZPARM parameter RESAUDIT(YES/NO)
Determines whether a RACF RACROUTE REQUEST=AUDIT
request is performed for each RESLEVEL inquiry that takes
place. This request produces General Audit records (event
number 27).

57. Miscellaneous

58. IMS Bridge
CICS Bridges
JMS
Miscellaneous

59. Miscellaneous - IMS Bridge
XCF GROUP
WebSphere MQ IMS/ESA
OTMA
XCF IMS
IMSXCF.* Profiles
TP
IOPCB
BRIDGE
Utoken
Cache
ACEE
Cache
External Security Manager

60. Miscellaneous - IMS Bridge - continued...
FACILITY class
IMSXCF.xcfgname.xcfmname
1WebSphere MQ/IMS connection security
ƒ IMSXCF.xcfgname.WebSphere MQ_member_name
ƒ WebSphere MQ userid requires READ access to this
profile
2 IMS level of authentication - application level
ƒ IMSXCF.xcfgname.IMS_member_name
ƒ Security processing dependent upon WebSphere MQ's
access to this profile
/SECURE OTMA
ƒ Controls userid processing done by IMS
WebSphere MQ system parameters
ƒ CSQ6SYSP ... OTMACON=(,,,Age,)

61. Miscellaneous - IMS Bridge - continued...
PassTickets
ƒ The PassTicket application name to validate against is specified on
the storage class definition (PASSTKTA of STGCLASS)
ƒ If no value is specified then no value passed to RACF
ƒ As storage class definition is QSGDISP(LOCAL) the value is taken
from the Qmgr so for Shared Queues each Qmgr can specify the
same or a different value
ƒ Application name can be anything acceptable to RACF - as per rules
of PTKTDATA class

62. Miscellaneous - CICS 3270 Bridge
WebSphere MQ CICS/TS
Userid/Password supplied to 3270 transaction
Password verified if present
Surrogate checking otherwise
BRIDGE
MONITOR
3270 TRAN
Unit of Work
TERMiNAL
CONTROL
CMDS
INQ/SET
TERMINAL
Bridge
Exit
Formatter
Browse
Reply
MQGET
START BREXIT( ... ) TRANSID( ... )
BRIDGE FACILITY

63. Miscellaneous - CICS DPL Bridge
CICS/TS
WebSphere MQ
BRIDGE
MONITOR
PROGRAM
EXEC CICS START
BRIDGE
TASK
BROWSE
MQGET
REPLY

64. JMS Authentication

65. MQ Security controls connections
CICS / IMS adapters can pass transaction
userids, but...
MQ assumes transaction mgr authenticated
the userid
Specific userid / password authentication for
WAS client connections
Provided as sample security exit, CSQ4BCX3,
source and LMOD
Does USS BPX1PWD call to RACF on CHL
start
Success => chl runs under authenticated
userid
ƒ MQOPEN auth checks
ƒ Context userid in MD
Written for WAS, but applicable to any client
application
createQueueConnection(userid, password) ;
createSender(requestQueue) ;
FAP UserID flow
MQ
CHIN
CHLTYPE(SVRCONN)
SCYEXIT(CSQ4BCX3)
RACF
N(us
MQ
OPE
erid)
What is it?

66. Security Overview
Controlling Security for WebSphere MQ for z/OS
Access Control
Administration
Summary
Summary

67. Z1: IBM WebSphere MQ for z/OS
Security
Questions?

68. For Additional Information
© 2014 IBM Corporation
 IBM Training
 http://www.ibm.com/training
 IBM WebSphere
 http://www.ibm.com/software/websphere/
 http://www.ibm.com/software/products/ibm-mq
 IBM developerWorks
 http://www.ibm.com/developerworks/websphere
 https://www.ibm.com/developerworks/community/blogs/messaging
 WebSphere forums and community
 http://www.ibm.com/developerworks/websphere/community/

69. IBM MQ Sessions this week
10:30 - 12:00 13:15 - 14:15 14:30 - 15:30 16:00 - 17:00 17:15 - 18:15
© 2014 IBM Corporation
Tues
day
Opening General Session- IBM Digital Experience
and WebSphere Technical University
Session A31: IBM MQ
CHLAUTH rules – with
MQ V8 updates
Speaker: Morag Hughson
Room 02
Session A4: WebSphere MQ
for z/OS: Performance and
Accounting
Speaker: Alexander Ross
Room 8
Session I26: DataPower-MQ
Connectivity Deep Dive
(Theory)
Speaker: Robin Wiley
Room 27
Session Z1: WebSphere MQ
for z/OS V8: Latest Features
Deep Dive
Speaker: Damon Cross
Room 6
9:00 - 10:00 10:30 - 11:30 11:45 - 12:45 14:00 - 15:00 15:15 - 16:15 16:45 - 17:45
Wed
nesda
y
Session Z5: WebSphere
MQ for z/OS: Security
Speaker: Damon Cross
Room 02
Session A21: What's
New in IBM Messaging
Speaker: Morag Hughson
Room 8
Session C7: Messaging in
the Cloud with IBM MQ
Light and IBM Bluemix
Speaker: Rob Nicholson
Room 27
Session A17: Managing work-loads,
scaling and availability
with IBM MQ clusters
Speaker: David Ware
Room 6
Lab IL5: DataPower-MQ Connectivity Deep Dive (Hands-On)
Speaker: Robin Wiley
Room 7b
Session A9: WebSphere MQ
for z/OS: The Inside Story
Speaker: Damon Cross
Room 6
Thur
sday
Session A35: How to
Develop Responsive
Applications with IBM
MQ Light
Speaker: Rob Nicholson
Room 27
Session A22: New IBM
MQ V8 Security Features
Speaker: Morag Hughson
Room 01
Session A3: WebSphere MQ
for z/OS: Shared Queues
Speaker: Alex Ross
Room 6
Session A18: Using Publish
/Subscribe with IBM MQ
Speaker: David Ware
Room 27
Frida
y
Lab AL6: Developing a First Application with IBM
WebSphere MQ Light
Speakers: Robert Nicholson, Alex Ross
Room 7b
Session A16: Using
IBM MQ Pub/Sub in an
MQ network
Speaker: David Ware
Room 6

70. Z5: IBM WebSphere MQ for z/OS
Security
Thank you!