APAR status
Closed as canceled.
Error description
IBM MQ or WebSphere MQ for z/OS 5655MQ900 R000 9.0.0 R010 9.0.x R100 9.1.0 R110 9.1.0 R200 9.2.0 5655W9700 R000 8.0 5655R3700 R000 7.0.0 R010 7.0.1 R100 7.1.0 5655L8200 R600 6.0 . See https://knowledge.broadcom.com/external/article/28132/acf2-setup -configuration-for-mqseries-ex.html . . CA-ACF2 Considerations or deviations from WebSphere MQ documentation: 1) The 'subsys' value can be masked in CA-ACF2 resource rules. 2) Switch profiles are supported through use of GSO SAFDEF records. 3) Resource grouping cannot be used for resource MQQUEUE or any other validation invoked through RACROUTE FASTAUTH. 4) REFRESH SECURITY is required for MQADMIN RESLEVEL changes. 5) Audit records are reported as ACFRPTRV trace records. 6) RESLEVEL access checking required use of SAF access levels: The following maps SAF access levels to CA_ACF2 service values: SAF Access CA-ACF2 Service Read Read Update Update Control Delete Alter Add . CA-ACF2 administration Considerations: 1) GSO CLASMAP records must be inserted for CA-ACF2 releases prior to 8.0. You choose a three character resource type type code for each MQ resource class - Insert GSO CLASMAP records as follows: SET C(GSO) - INSERT CLASMAP.mqadmin RESOURCE(MQADMIN) RSRCTYPE(mqa) ENTETYLN(62) INSERT CLASMAP.mqconn RESOURCE(MQCONN) RSRCTYPE(mqk) ENTETYLN(10) INSERT CLASMAP.mqcmds RESOURCE(MQCMDS) RSRCTYPE(mqc) ENTETYLN(22) INSERT CLASMAP.mqqueue RESOURCE(MQQUEUE) RSRCTYPE(mqq) ENTETYLN(53) INSERT CLASMAP.mqproc RESOURCE(MQPROC) RSRCTYPE(mqp) ENTETYLN(53) INSERT CLASMAP.mqnlist RESOURCE(MQNLIST) RSRCTYPE(mqn) ENTETYLN(53) ******NOTE****** the above inserts span two lines. ENTETYLN should follow RSRCTYPE(mqp) on the same line. . 2) Write resource rules. The following shows how to write a rule for MQADMIN security: SET R(mqa) COMPILE * STORE $KEY(csq1) TYPE(mqa) context UID(user1) ALLOW reslevel UID() SERVICE(update) ALLOW alternate.user.- UID(user2) allow . The following shows how to write a rule for MQCONN connection security: SET R(mqk) COMPILE * STORE $KEY(csq1) TYPE(mqk) batch UID(user1) ALLOW cics UID(user2) ALLOW . You can use masking to secure more than one MQ subsystem which can have identical security requirements. If running CSQ1 abd CSQ2, the following rule will secure both: $KEY(csq*) TYPE(mqa) context UID(user1) ALLOW reslevel UID(-) SERVICE(update) ALLOW alternate.user.- UID(user2) allow 3) You can define a logonid for each MQM address space. The following is an example: SET LID INSERT csq1mstr MUSASS NON_CNCL STC 4) MQ processing may use a default logonid. CA-ACF2 will use the batch default logonid for these requests. If that is not appropriate, you can use the MUSDLID logonid field to assign a specific default logonid to be used for each MQM region: SET LID INSERT csq1mstr MUSASS NON_CNCL STC MUSDLID(mqmdflt) INSERT MQMDFLT RESTRICT NAME(mq default lid) 5) By default, security will be disabled for MQ. You enable security by inserting GSO SAFDEF records. The following enables all security for MQ: SET C(GSO) INSERT SAFDEF.mqm ID(mqm) FUNCRET(8) RETCODE(4) MODE(IGNORE) RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP . Alternatively, you can selectively enable security by using switch profiles. Switch profiles are described in MQ documenation. For example, to enable only connect security, insert the following SAFDEF records: SET C(GSO) INSERT SAFDEF.mqm1 ID(mqm1) FUNCRET(8) RETCODE(4) MODE(IGNORE) RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,ENTITYX=csq1.no.subsys. security) REP . INSERT SAFDEF.mqm2 ID(mqm2) FUNCRET(8) RETCODE(4) MODE(IGNORE) RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,ENTITYX=csq1.no.connect. checks) REP / These SAFDEF records return a 'not found' condition to MQ. The negative logic is: if no.subsys.security is not found, subsys security is active; if no.connect.checks is not found, connection security is active. / You can insert similar SAFDEF records for each switch profile you want to enable. You must always insert the SAFDEF for no.subsys.security when using switch profiles. / To disable security, delete the SAFDEF records you have inserted. *************************************************************** Historical Data: The original title of this item was: ABEND5C6 RC00C8000D USING ACF2 WITH MQM MVS/ESA . The original problem description included: Users who attempt to bring up MQM MVS/ESA using ACF2 security, and are currently on ACF2 Version 5.2, are likely to experience an abend5C6 RC00C8000D in CSQHLPLM, csect CSQHINIT, when starting up the subsystem. The APAR included zaps to temporarily disable security switching for MQM MVS/ESA. The MQ and CA-ACF2 releases involved are no longer supported, so the zap information has been removed.
Local fix
Problem summary
Problem conclusion
Temporary fix
Comments
close for Internet viewing
APAR Information
APAR number
II06967
Reported component name
PB LIB INFO ITE
Reported component ID
INFOPBLIB
Reported release
001
Status
CLOSED CAN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
1993-06-15
Closed date
1997-11-07
Last modified date
2021-04-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"001"}]
Document Information
Modified date:
27 April 2021