The possible users of WebSphere MQ data sets include:
For all these potential users, protect the WebSphere MQ data sets with RACF(R).
You must also control access to all your 'CSQINP' data sets.
Some WebSphere MQ data sets should be for the exclusive use of the queue manager. If you protect your WebSphere MQ data sets using RACF, you must also authorize the queue manager started-task procedure xxxxMSTR, and the distributed queuing started-task procedure xxxxCHIN, using RACF. To do this, use the STARTED class. Alternatively, you can use the started procedures table (ICHRIN03), but then you need to IPL your z/OS system before the changes take effect.
For more information, see the z/OS(R) Security Server RACF System Programmer's Guide.
The RACF user ID identified must have the required access to the data sets in the started-task procedure. For example, if you associate a queue manager started task procedure called CSQ1MSTR with the RACF user ID QMGRCSQ1, the user ID QMGRCSQ1 must have access to the z/OS resources accessed by the CSQ1 queue manager.
The RACF user IDs associated with the queue manager and channel initiator started task procedures should not have the TRUSTED attribute set.
The WebSphere MQ data sets should be protected so that no unauthorized user can run a queue manager instance, or gain access to any queue manager data. To do this, use normal z/OS RACF data set protection. For more information, see the z/OS Security Server RACF Security Administrator's Guide.
Table 63 summarizes the RACF access that the queue manager started task procedure must have to the different data sets.
RACF access | Data sets |
---|---|
READ |
|
UPDATE |
|
ALTER |
|
Table 64 summarizes the RACF access that the started task procedure for distributed queuing must have to the different data sets.
RACF access | Data sets |
---|---|
READ |
|
UPDATE |
|
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
csqsav04115 |