WebSphere MQ security implementation checklist
This chapter gives a step-by-step procedure you can use to work out and
define the security implementation for each of your WebSphere MQ queue managers.
Refer to other sections for details, in particular Profiles used to control access to WebSphere MQ resources.
If you require security checking, follow this checklist to implement it:
- Activate the RACF(R) MQADMIN class.
- Do you want security at queue-sharing group level, queue-manager level,
or a combination of both?
Refer to Profiles to control queue-sharing group or queue manager level security.
- Do you need connection security?
- Do you need security checking on commands?
- Do you need security on the resources used in
commands?
- Do you need queue security?
- Yes: Activate the MQQUEUE class. Define appropriate
queue profiles for the required queue manager or queue-sharing group in the
MQQUEUE class and permit the appropriate users or groups access to these profiles.
- No: Define an hlq.NO.QUEUE.CHECKS profile for the
required queue manager or queue-sharing group in the MQADMIN class.
- Do you need process security?
- Yes: Activate the MQPROC class. Define appropriate
process profiles at either queue manager or queue-sharing group level and
permit the appropriate users or groups access to these profiles.
- No: Define an hlq.NO.PROCESS.CHECKS profile for
the appropriate queue manager or queue-sharing group in the MQADMIN class.
- Do you need namelist security?
- Yes: Activate the MQNLIST class. Define appropriate
namelist profiles at either queue manager level or queue-sharing group level
in the MQNLIST class and permit the appropriate users or groups access to
these profiles.
- No: Define an hlq.NO.NLIST.CHECKS profile for the
required queue manager or queue-sharing group in the MQADMIN class.
- Do any users need to protect the use of the MQOPEN or MQPUT1 options relating to the use of context?
- Yes: Ensure the MQADMIN class is active. Define
hlq.CONTEXT.queuename profiles at the queue, queue manager, or queue-sharing
group level in the MQADMIN class and permit the appropriate users or groups
access to these profiles.
- No: Define an hlq.NO.CONTEXT.CHECKS profile for
the required queue manager or queue-sharing group in the MQADMIN class.
- Do you need to protect the use of alternate user IDs?
- Yes: Ensure the MQADMIN class is active. Define
the appropriate hlq.ALTERNATE.USER.alternateuserid profiles
for the required queue manager or queue-sharing group and permit the required
users or groups access to these profiles.
- No: Define the profile hlq.NO.ALTERNATE.USER.CHECKS
for the required queue manager or queue-sharing group in the MQADMIN class.
- Do you need to tailor which user IDs are to be used for resource security
checks through RESLEVEL?
- Yes: Ensure the MQADMIN class is active. Define
an hlq.RESLEVEL profile at either queue manager level or queue-sharing group
level in the MQADMIN class and permit the required users or groups access
to the profile.
- No: Ensure that no generic profiles exist in the
MQADMIN class that could apply to hlq.RESLEVEL. Define an hlq.RESLEVEL profile
for the required queue manager or queue-sharing group and ensure that no users
or groups have access to it.
- Do you need to 'time out' unused user IDs from WebSphere MQ?
- Yes: Determine what timeout values you would like
to use and issue the MQSC ALTER SECURITY command to change the TIMEOUT and
INTERVAL parameters.
- No: Issue the MQSC ALTER SECURITY command to set
the INTERVAL value to zero.
Note:
Update the CSQINP1 initialization input data set used
by your subsystem so that the MQSC ALTER SECURITY command is issued automatically
at every queue manager start up.
- Do you use distributed queuing?
- Yes: Determine the appropriate MCAUSER attribute
value for each channel, and provide suitable channel security exits.
- Do you want to use the Secure Sockets Layer (SSL)?
- Yes: Plan your SSL infrastructure. Install the System
SSL feature of z/OS. In RACF, set up your certificate name filters (CNFs), if you
are using them, and your digital certificates. Set up your SSL key ring. Ensure
that the SSLKEYR queue manager attribute is nonblank and points to your SSL
key ring, and ensure that the value of SSLTASKS is at least 2.
- No: Ensure that SSLKEYR is blank, and SSLTASKS is
zero.
For further details about SSL, see WebSphere MQ Security.
- Do you use clients?
- Yes: Determine the appropriate MCAUSER attribute
value for each server-connection channel, and provide suitable channel security
exits if required.
- Check your switch settings.
WebSphere MQ issues messages at queue manager startup
that display your security settings. Use these messages to determine whether
your switches are set correctly. For an example of these messages, see the WebSphere MQ for z/OS System Administration Guide.