II06967: USING CA-ACF2 WITH WEBSPHERE MQ FOR Z/OS

APAR status

• Closed as canceled.

Error description

• IBM MQ or WebSphere MQ for z/OS
  5655MQ900 R000 9.0.0 R010 9.0.x R100 9.1.0 R110 9.1.0 R200 9.2.0
  5655W9700 R000 8.0
  5655R3700 R000 7.0.0 R010 7.0.1 R100 7.1.0
  5655L8200 R600 6.0
  .
  See
  https://knowledge.broadcom.com/external/article/28132/acf2-setup
  -configuration-for-mqseries-ex.html
  .
  .
  CA-ACF2 Considerations or deviations from WebSphere MQ
  documentation:
  1) The 'subsys' value can be masked in CA-ACF2 resource rules.
  2) Switch profiles are supported through use of GSO SAFDEF
     records.
  3) Resource grouping cannot be used for resource MQQUEUE or
     any other validation invoked through RACROUTE FASTAUTH.
  4) REFRESH SECURITY is required for MQADMIN RESLEVEL changes.
  5) Audit records are reported as ACFRPTRV trace records.
  6) RESLEVEL access checking required use of SAF access levels:
     The following maps SAF access levels to CA_ACF2 service
     values:
       SAF Access         CA-ACF2 Service
       Read               Read
       Update             Update
       Control            Delete
       Alter              Add
  .
  CA-ACF2 administration Considerations:
  1) GSO CLASMAP records must be inserted for CA-ACF2 releases
     prior to 8.0.  You choose a three character resource type
     type code for each MQ resource class
  -
  Insert GSO CLASMAP records as follows:
  SET C(GSO)
                                         -
  INSERT CLASMAP.mqadmin RESOURCE(MQADMIN) RSRCTYPE(mqa)
     ENTETYLN(62)
  INSERT CLASMAP.mqconn RESOURCE(MQCONN) RSRCTYPE(mqk)
     ENTETYLN(10)
  INSERT CLASMAP.mqcmds RESOURCE(MQCMDS) RSRCTYPE(mqc)
     ENTETYLN(22)
  INSERT CLASMAP.mqqueue RESOURCE(MQQUEUE) RSRCTYPE(mqq)
     ENTETYLN(53)
  INSERT CLASMAP.mqproc RESOURCE(MQPROC) RSRCTYPE(mqp)
     ENTETYLN(53)
  INSERT CLASMAP.mqnlist RESOURCE(MQNLIST) RSRCTYPE(mqn)
     ENTETYLN(53)
  ******NOTE****** the above inserts span two lines.
  ENTETYLN should follow RSRCTYPE(mqp) on the same line.
                                                        .
  2) Write resource rules.  The following shows how to write
     a rule for MQADMIN security:
  SET R(mqa)
  COMPILE * STORE
  $KEY(csq1) TYPE(mqa)
  context UID(user1) ALLOW
  reslevel UID() SERVICE(update) ALLOW
  alternate.user.- UID(user2) allow
                                           .
  The following shows how to write a rule for MQCONN connection
  security:
  SET R(mqk)
  COMPILE * STORE
  $KEY(csq1) TYPE(mqk)
  batch UID(user1) ALLOW
  cics UID(user2) ALLOW
                                              .
  You can use masking to secure more than one MQ subsystem
  which can have identical security requirements.  If running
  CSQ1 abd CSQ2, the following rule will secure both:
  $KEY(csq*) TYPE(mqa)
  context UID(user1) ALLOW
  reslevel UID(-) SERVICE(update) ALLOW
  alternate.user.- UID(user2) allow
  3) You can define a logonid for each MQM address space.
  The following is an example:
  SET LID
  INSERT csq1mstr MUSASS NON_CNCL STC
  4) MQ processing may use a default logonid.  CA-ACF2 will
  use the batch default logonid for these requests.  If that is
  not appropriate, you can use the MUSDLID logonid field to assign
  a specific default logonid to be used for each MQM region:
  SET LID
  INSERT csq1mstr MUSASS NON_CNCL STC MUSDLID(mqmdflt)
  INSERT MQMDFLT RESTRICT NAME(mq default lid)
  5) By default, security will be disabled for MQ.  You enable
  security by inserting GSO SAFDEF records.  The following enables
  all security for MQ:
  SET C(GSO)
  INSERT SAFDEF.mqm ID(mqm) FUNCRET(8) RETCODE(4) MODE(IGNORE)
                   RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP
                                                             .
  Alternatively, you can selectively enable security by using
  switch profiles.  Switch profiles are described in MQ
  documenation.  For example, to enable only connect security,
  insert the following SAFDEF records:
  SET C(GSO)
  INSERT SAFDEF.mqm1 ID(mqm1) FUNCRET(8) RETCODE(4) MODE(IGNORE)
  RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,ENTITYX=csq1.no.subsys.
  security) REP
                                                               .
  INSERT SAFDEF.mqm2 ID(mqm2) FUNCRET(8) RETCODE(4) MODE(IGNORE)
  RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,ENTITYX=csq1.no.connect.
  checks) REP
                                                                /
  These SAFDEF records return a 'not found' condition to MQ.
  The negative logic is: if no.subsys.security is not found,
  subsys security is active; if no.connect.checks is not found,
  connection security is active.
                                                                /
  You can insert similar SAFDEF records for each switch profile
  you want to enable.  You must always insert the SAFDEF for
  no.subsys.security when using switch profiles.
                                                /
  To disable security, delete the SAFDEF records you have
  inserted.
  ***************************************************************
  Historical Data:
  The original title of this item was:
  ABEND5C6 RC00C8000D USING ACF2 WITH MQM MVS/ESA
  .
  The original problem description included:
    Users who attempt to bring up MQM MVS/ESA using ACF2 security,
    and are currently on ACF2 Version 5.2, are likely to
    experience an abend5C6 RC00C8000D in CSQHLPLM, csect CSQHINIT,
    when starting up the subsystem.
  The APAR included zaps to temporarily disable security switching
  for MQM MVS/ESA.  The MQ and CA-ACF2 releases involved are no
  longer supported, so the zap information has been removed.
  

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

• close for Internet viewing
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels