WebSphere MQ security implementation checklist

This chapter gives a step-by-step procedure you can use to work out and define the security implementation for each of your WebSphere MQ queue managers. Refer to other sections for details, in particular Profiles used to control access to WebSphere MQ resources.

If you require security checking, follow this checklist to implement it:

  1. Activate the RACF(R) MQADMIN class.
  2. Do you want security at queue-sharing group level, queue-manager level, or a combination of both?

    Refer to Profiles to control queue-sharing group or queue manager level security.

  3. Do you need connection security?
  4. Do you need security checking on commands?
  5. Do you need security on the resources used in commands?
  6. Do you need queue security?
  7. Do you need process security?
  8. Do you need namelist security?
  9. Do any users need to protect the use of the MQOPEN or MQPUT1 options relating to the use of context?
  10. Do you need to protect the use of alternate user IDs?
  11. Do you need to tailor which user IDs are to be used for resource security checks through RESLEVEL?
  12. Do you need to 'time out' unused user IDs from WebSphere MQ?
    Note:
    Update the CSQINP1 initialization input data set used by your subsystem so that the MQSC ALTER SECURITY command is issued automatically at every queue manager start up.
  13. Do you use distributed queuing?
  14. Do you want to use the Secure Sockets Layer (SSL)?

    For further details about SSL, see WebSphere MQ Security.

  15. Do you use clients?
  16. Check your switch settings.

    WebSphere MQ issues messages at queue manager startup that display your security settings. Use these messages to determine whether your switches are set correctly. For an example of these messages, see the WebSphere MQ for z/OS System Administration Guide.