On z/OS there is no concept of a "privileged user"

Technote (troubleshooting)


Problem(Abstract)

On z/OS there is no concept of a "privileged user".

Symptom

You are on z/OS WebSphere MQ v7.1 and trying to activate CHLAUTH. You run into a problem with the *MQADMIN test which does not appear to work the same on z/OS as it does on AIX.


Cause

On z/OS there is no concept of a "privileged user". In the WebSphere MQ Information Center, z/OS isn't listed in the platforms for privileged users.

Resolving the problem

You might consider using the USERLIST attribute in the SET CHLAUTH command and *MQADMIN on the different platforms.

Channel authentication
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/mi77190_.htm
Inquire Channel Authentication Records (Response)
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/pc20660_.htm

SET CHLAUTH
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/sc14440_.htm


    USERLIST
    A list of up to 100 user IDs which are banned from use of this channel or set of channels. Use the special value *MQADMIN to mean privileged or administrative users. The definition of this value depends on the operating system, as follows:
    • On Windows, all members of the mqm group, the Administrators group and SYSTEM.
    • On UNIX and Linux, all members of the mqm group.
    • On IBM i, the profiles (users) qmqm and qmqmadm and all members of the qmqmadm group, and any user defined with the *ALLOBJ special setting.
    • On z/OS, the user ID that the channel initiator and queue manager address spaces are running under.
    For more information about privileged users, see Privileged users
    ( http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/zs00150_.htm)
    This parameter is only valid with TYPE(BLOCKUSER).

Essentially, on z/OS the *MQADMIN value will ONLY block the user ids that the MSTR and CHIN address spaces are started under.

When securing channels, you might consider using a "back-stop" rule to control access as described in the following developerWorks article: CHLAUTH - the back-stop rule.


Product Alias/Synonym

WMQ MQ

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere MQ
Security

Software version:

7.1

Operating system(s):

OS/390, z/OS

Reference #:

1643861

Modified date:

2013-07-19

Translate my page

Machine Translation

Content navigation