WebSphere Message Brokers
File: ae14030_
Writer: Stephanie J Strugnell

Task topic

This build: July 31, 2007 21:27:42

Setting up z/OS security

You need to complete some security configuration tasks before WebSphere Message Broker can work correctly. The steps you need to follow are described in this topic and also in the following topics:

Decide on the started task names of the broker, Configuration Manager, and User Name Server. These names are used to set up started task authorizations, and to manage your system performance.

Decide on a data set naming convention for your WebSphere Message Broker PDSEs. A typical name might be WMQI.MQP1BRK.CNTL or MQS.MQP1UNS.BIPCNTL, where MQP1 is the queue manager name. You need to give the WebSphere Message Broker, WebSphere MQ, DB2, and z/OS administrators access to these data sets. You can give these professionals control access in several ways, for example:
  • Give each user individual access to the specific data set.
  • Define a generic data set profile, defining a group that contains the user IDs of the administrators. Grant the group control access to the generic data set profile.

If you intend to use Publish/Subscribe, define a group called MQBRKRS and connect the started task user IDs to this group. Define an OMVS group segment for this group so that the User Name Server can extract information from the External Security Manager (ESM) database to enable you to use Publish/Subscribe security.

Each broker needs a unique ID for its DB2 tables. This can be:
  • A unique started task user ID; you could use the broker name as the started task user ID.

    A unique group for the broker (for example MQP1GRP) which has defined all necessary DB2 authorities. The broker started task user ID and the WebSphere Message Broker administrator are both members of this group.

  • A shared started task user ID and a unique group specified to identify the DB2 tables to be used with the ODBC interface. Use the broker name as the group name.
Define an OMVS segment for the started task user ID and give its home directory sufficient space for any WebSphere Message Broker dumps. Consider using the started task procedure name as the started task user ID. Check that your OMVS segment is defined by using the following TSO command:
LU userid OMVS
The command output includes the OMVS segment, for example:
USER=MQP1BRK NAME=SMITH, JANE OWNER=TSOUSER
CREATED=99.342 DEFAULT-GROUP=TSOUSER PASSDATE=01.198
PASS-INTERVAL=30
......
OMVS INFORMATION
----------------
UID=0000070594
HOME=/u/MQP1BRK
PROGRAM=/bin/sh
CPUTIMEMAX=NONE
ASSIZEMAX=NONE
FILEPROCMAX=NONE
PROCUSERMAX=NONE
THREADSMAX=NONE
MMAPAREAMAX=NONE
The command:
df -P /u/MQP1BRK
displays the amount of space used and available, where /u/MQP1BRK is the value from HOME above. This command shows you how much space is currently available in the file system. Check with your data administrators that this is sufficient. You need a minimum of 400 000 blocks free; this is needed if a dump is taken.

Associate the started task procedure with the user ID to be used. For example, you can use the STARTED class in RACF®. The WebSphere Message Broker and z/OS administrators must agree on the name of the started task.

WebSphere Message Broker administrators need an OMVS segment and a home directory. Check the setup described above.

The started task user IDs and the WebSphere Message Broker administrators need access to the install processing files, the component specific files, and the home directory of the started task. During customization the file ownership can be changed to alter group access. This might require super user authority.

When the service user ID is root, all libraries loaded by the broker, including all user-written plug-in libraries and all shared libraries that they might access, also have root access to all system resources (for example, file sets). Review and assess the risk involved in granting this level of authorization.

For more information on various aspects of security, see Security overview.

Related concepts
Security overview
Enabling the Configuration Manager on z/OS to obtain user ID information
Related tasks
Setting up DB2 security on z/OS
Setting up WebSphere MQ
Setting up workbench access on z/OS
Creating Publish/Subscribe user IDs
Related reference
Customization tasks and roles on z/OS
Summary of required access (z/OS)
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:27:42

ae14030_ This topic's URL is: