Task 11: Implement your ESM security controls

Implement security controls for queue-sharing groups, the channel initiator, and all queue managers accessing the coupling facility list structures.

  • Repeat this task for each IBM® MQ queue manager or queue-sharing group.
  • You might need to perform this task when migrating from a previous version.

If you use RACF® as your external security manager, see Setting up security on z/OS® , which describes how to implement these security controls.

If you are using queue-sharing groups, ensure that the user IDs associated with the queue manager, channel initiator, and the utilities (as specified in task 9, step 6 ) have authority to establish an RRSAF connection to each Db2® subsystem with which you want to establish a connection. The RACF profile to which the user ID requires READ access is DB2ssid.RRSAF in the DSNR resource class.

If you are using the channel initiator, you must also do the following:
  • If your subsystem has connection security active, define a connection security profile ssid.CHIN to your external security manager (see Connection security profiles for the channel initiator for information about this).
  • If you are using the Secure Sockets Layer (SSL) or a sockets interface, ensure that the user ID under whose authority the channel initiator is running is configured to use UNIX System Services, as described in the OS/390® UNIX System Services Planning documentation.
  • If you are using SSL, ensure that the user ID under whose authority the channel initiator is running is configured to access the key ring specified in the SSLKEYR parameter of the ALTER QMGR command.

Those queue managers that will access the coupling facility list structures require the appropriate security access. The RACF class is FACILITY. The queue manager user ID requires ALTER access to the IXLSTR. structure-name profile.

Before you start the queue manager, set up IBM MQ data set and system security by:
  • Authorizing the queue manager started task procedure to run under your external security manager.
  • Authorizing access to the queue manager data sets.
For details about how to do this, see Security installation tasks for z/OS(r).

If you are using RACF, provided you use the RACF STARTED class, you do not need to perform an IPL of your system (see RACF authorization of started-task procedures ).