Task 24: Set up the started task user Advanced Message Security

The IBM® MQ Advanced Message Security task requires a user ID that allows it to be known as a UNIX System Services process.

In addition, the users that the task works on behalf of must also have an appropriate definition of a UNIX UID (user ID) and GID (group ID) so these users are known as UNIX System Services users. For more information on defining UNIX System Services UIDs and GIDs, see z/OS: Security Server RACF Security Administrator's Guide.

z/OS: UNIX System Services Planning compares traditional UNIX security to z/OS® security. The primary difference between traditional UNIX security and z/OS security is that the Kernel services support two levels of appropriate privileges: UNIX level and z/OS UNIX level.

Depending on your installation's security policy, the IBM MQ Advanced Message Security task can either run with superuser authority (uid(0)), or with its RACF® identity permitted to the RACF FACILITY class BPX.DAEMON and BPX.SERVER profiles, as this task must be able to assume the RACF identity of its users.

If the latter method is used, or you have already activated the BPX.DAEMON or BPX.SERVER profiles, the IBM MQ Advanced Message Security task program (thlqual.SCSQAUTH(CSQ0DSRV)) must be located in RACF program-controlled libraries.

Review z/OS: UNIX System Services Planning to ensure that you understand the security differences between traditional UNIX security and z/OS UNIX security. This allows you to administer the IBM MQ Advanced Message Security task according to your installation's security policy for deploying and running privileged UNIX System Services processes.

For reference, the publications useful to this review are:

  • z/OS: UNIX System Services Planning.
  • z/OS: Security Server RACF Security Administrator's Guide.
Note: Choose the user ID for this task carefully because the IBM MQ Advanced Message Security recipient certificates are loaded into a key ring associated with this user ID. This consideration is discussed in Using certificates on z/OS .

The steps shown here describe how to set up the IBM MQ Advanced Message Security started task user. The steps use RACF commands as examples. If you are using a different security manager, you should use equivalent commands.

Note: The examples in this section assume that you have activated generic profile command processing for the RACF STARTED, FACILITY, and SURROGAT classes and generic profile checking. For more information on how RACF handles generic profiles, see z/OS: Security Server RACF Command Language Reference.
  1. First define RACF user profiles for the IBM MQ Advanced Message Security started task user. These can be the same user.
    ADDUSER WMQAMSM NAME('IBM MQ Advanced Message Security user') OMVS (UID(0)) DFLTGRP(group)
    

    Select a default 'group' as appropriate to your installation standards.

    Note: If you do not want to grant USS superuser authority (UID(0)), then you must permit the IBM MQ Advanced Message Security user ID to the BPX.DAEMON and BPX.SERVER facility class profiles:
    
    PERMIT BPX.DAEMON CLASS(FACILITY) ID(WMQAMSM) ACCESS(READ)
    

    and the IBM MQ Advanced Message Security task program ( thlqual.SCSQAUTH(CSQ0DSRV)) must be located in a RACF program-controlled library.

    To make your SCSQAUTH library program controlled, you can use the following command:
    
    RALTER PROGRAM * ADDMEM('thlqual.SCSQAUTH'//NOPADCHK) -or-
    RALTER PROGRAM ** ADDMEM('thlqual.SCSQAUTH'//NOPADCHK)
    SETROPTS WHEN(PROGRAM) REFRESH
    
    You must also enable program control for the national language library ( thlqual.SCSQANLx) that is used by the IBM MQ Advanced Message Security task.
  2. Determine if the RACF STARTED class is active. If it is not, activate the RACF STARTED class:
    
    SETROPTS CLASSACT(STARTED)
    
  3. Define a started class profile for the IBM MQ Advanced Message Security tasks, specifying the user IDs you selected or created in step 1:
    
    RDEFINE STARTED qmgr AMSM.* STDATA(USER(WMQAMSM))
    

    where qmgr is the name of prefix of the started task name. For example, the started tasks may be named CSQ1AMSM. In this case, you would substitute qmgr AMSM.* with CSQ1AMSM.*.

    The started task names must be named qmgr AMSM.*.

  4. Use the SETROPTS RACF command to refresh the in-storage RACLISTed started class profiles:
    
    SETROPTS RACLIST(STARTED) REFRESH
    
  5. The IBM MQ Advanced Message Security task temporarily assumes the identity of the host user ID of the client requestor during protection processing of IBM MQ messages. Therefore, it is necessary to define profiles in the SURROGAT class for each user ID that can make requests.

    This can be done with a single generic profile if the RACF SURROGAT class is active. The check is ignored if the SURROGAT class is not active. The SURROGAT profiles needed are described in z/OS: UNIX System Services Planning.

    To define profiles in the SURROGAT class:

    1. Activate the RACF SURROGAT class using the RACF SETROPTS command:
      
      SETROPTS CLASSACT(SURROGAT)
      
    2. Activate generic profile processing for the RACF SURROGAT class:
      
      SETROPTS GENERIC(SURROGAT)
      
    3. Activate generic profile command processing for the RACF SURROGAT class:
      
      SETROPTS GENCMD(SURROGAT)
      
    4. Define a surrogate class generic profile:
      
      RDEFINE SURROGAT BPX.SRV.* UACC(NONE)
      
    5. Permit the IBM MQ Advanced Message Security user ID to the generic SURROGAT class profile:
      
      PERMIT BPX.SRV.* CLASS(SURROGAT) ID(WMQAMSM) ACCESS(UPDATE)
      
      Note: You can define more specific profiles if you want to restrict specific users to be processed by the IBM MQ Advanced Message Security task, as described in z/OS: UNIX System Services Planning.
    6. Permit the IBM MQ Advanced Message Security user ID to the BPX.SERVER facility (if not already done in Creating the certificates and key rings ):
      
      PERMIT BPX.SERVER CLASS(FACILITY) ID(WMQAMSM) ACCESS(READ)
      
  6. The IBM MQ Advanced Message Security task uses the facilities provided by z/OS System SSL services to open SAF-managed key rings. The underlying System Authorization Facility (SAF) that accesses the contents of the key rings is controlled by RACF, or an equivalent security manager.

    This service is the IRRSDL00 (R_datalib) callable service. This callable service is protected with the same profiles used to protect the RACF RACDCERT commands that are defined to the RACF FACILITY class. Thus, the IBM MQ Advanced Message Security user ID must be permitted to the profiles using these commands:

    1. If you have not already done so, define a RACF generic profile to the RACF FACILITY class that protects the RACDCERT command and the IRRSDL00 callable service:
      
      RDEFINE FACILITY IRR.DIGTCERT.* UACC(NONE)
      SETROPTS RACLIST(FACILITY) REFRESH
      
    2. Grant authority to the started task user ID to the RACF generic profile:
      
      PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(WMQAMSM) ACC(READ)
      
      Alternatively, you can grant READ access to the data service task user's keyring in the RDATALIB class as follows:
      
      PERMIT WMQASMD.DRQ.AMS.KEYRING.LST CLASS(RDATALIB) ID(WMQAMSM) ACC(READ)
      

Resource security for AMS

The started task user requires read authority to the SYSTEM.PROTECTION.POLICY.QUEUE.

The started task user requires authority to connect to the queue manager as a BATCH application. For further information, see Connection security profiles for batch connections.