Security checking on IMS
Each WebSphere MQ message that passes across the bridge contains the following
security information:
- A user ID contained in the UserIdentifier field of the MQMD structure
- The security scope contained in the SecurityScope field of the
MQIIH structure (if the MQIIH structure is present)
- A Utoken (unless the WebSphere MQ sub system has CONTROL or ALTER access to the
relevant IMSXCF.xcfgname.imsxcfmname profile)
The security checks made depend on the setting by the IMS(TM) command /SECURE
OTMA, as follows:
- /SECURE OTMA NONE
- No security checks are made for the transaction.
- /SECURE OTMA CHECK
- The UserIdentifier field of the MQMD structure is passed to IMS for
transaction or command authority checking.
An ACEE (Accessor Environment
Element) is built in the IMS control region.
- /SECURE OTMA FULL
- The UserIdentifier field of the MQMD structure is passed to IMS for
transaction or command authority checking.
An ACEE is built in the IMS dependent
region as well as the IMS control region.
- /SECURE OTMA PROFILE
- The UserIdentifier field of the MQMD structure is passed to IMS for
transaction or command authority checking
The SecurityScope field
in the MQIIH structure is used to determine whether to build an ACEE in the IMS dependent
region as well as the control region.
Notes:
- If you change the authorities in the TIMS or CIMS class, or the associated
group classes GIMS or DIMS, you must issue the following IMS commands to activate
the changes:
- /MODIFY PREPARE RACF(R)
- /MODIFY COMMIT
- If you do not use /SECURE OTMA PROFILE, any value specified in the SecurityScope field of the MQIIH structure is ignored.