The following directory authorizations are required for
all brokers:
- READ and EXECUTE access to <INSTPATH>,
where <INSTPATH> is the directory where IBM® Integration Bus for z/OS is installed by SMP/E.
- READ, WRITE, and EXECUTE access to the component
directory ++COMPONENTDIRECTORY++.
- READ and WRITE access to the home directory.
- READ and WRITE access to the directory identified
by ++HOME++.
- In UNIX System
Services, the started task
user ID and the IBM Integration Bus administrator
user ID must both be members of the groups that have access to the
installation and component directories, because they both need privileges
over these resources. The owner of these directories must give the
appropriate permissions to this group.
All brokers need the following RACF® authorizations:
- READ and WRITE access to RACF class BPX.SMF, when you
need to create SMF 117 records for accounting and statistics.
- READ access to the CSFRNG resource in the CSFSERV class.
READ access to the component PDSE is required.
WebSphere MQ authorizations
Enable WebSphere® MQ security to protect your WebSphere MQ resources. If all WebSphere MQ security switches are enabled,
define the following profiles, and give the started task user ID the
listed access to each profile. For each profile access listed, <MQ_QMNAME> represents
the WebSphere MQ queue manager that the IBM Integration Bus component is connected to,
and TASKID represents the started task user ID.
- Connection security: READ access to profile <MQ_QMNAME>.BATCH of
class MQCONN. For example, for queue manager MQP1 and
started task ID TASKID, use the RACF commands:
RDEFINE MQCONN MQP1.BATCH UACC(NONE)
PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(READ)
- Connection security when content-based filtering with publish/subscribe is used: UPDATE
access to profile <MQ_QMNAME>.BATCH of class MQCONN. For
example, for queue manager MQP1 and started task ID TASKID, use
the RACF commands:
RDEFINE MQCONN MQP1.BATCH UACC(NONE)
PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(UPDATE)
- Queue security: UPDATE access to profile <MQ_QMNAME>.queue of
class MQQUEUE for all queues. Consider creating
profiles for the following queues:
- All component queues, by using the generic profile SYSTEM.BROKER.**
- All transmissions queues that you have defined between component
queue managers.
- All queues that you have specified in message flows.
- Dead-letter queues.
- Model queues.
For example, for queue manager MQP1 and started
task ID TASKID, use the following RACF commands to restrict access to the component
queues: RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE)
PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(TASKID) ACCESS(UPDATE)
- Context security: CONTROL access to profile <MQ_QMNAME>.CONTEXT of
class MQADMIN. For example, for queue manager MQP1 and
started task ID TASKID, use the following RACF commands:
RDEFINE MQADMIN MQP1.CONTEXT UACC(NONE)
PERMIT MQP1.CONTEXT.** CLASS(MQADMIN) ID(TASKID) ACCESS(CONTROL)
- Alternate user security: Define the alternate user authority
as: UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of
class MQADMIN, where id represents
the start task ID of the broker component. For example, for queue
manager MQP1, started task ID TASKID,
and configuration service ID CFGID, use the following RACF commands:
RDEFINE MQADMIN MQP1.ALTERNATE.USER.CFGID UACC(NONE)
PERMIT MQP1.ALTERNATE.USER.CFGID CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)
UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of
class MQADMIN, where id represents
the user ID of, for example, a publish/subscribe request.
- Process and namelist security: If you have WebSphere MQ security switches enabled in
your system for process and namelist security, you do not have to
define access profiles in an IBM Integration Bus default configuration.
- Topic security:
- Create an RACF profile to control publishing and subscribing for the administrative MQ topic SYSTEM.BROKER.MB.TOPIC:
RDEFINE MXTOPIC <MQ_QMNAME>.PUBLISH.SYSTEM.BROKER.MB.TOPIC UACC(NONE)
RDEFINE MXTOPIC <MQ_QMNAME>.SUBSCRIBE.SYSTEM.BROKER.MB.TOPIC UACC(NONE)
- Grant the broker's started task ID the ability to publish on that topic:
PERMIT <MQ_QMNAME>.PUBLISH.SYSTEM.BROKER.MB.TOPIC CLASS(MXTOPIC) ID(TASKID) ACCESS(UPDATE)
- Allow the broker to subscribe to its own topics:
PERMIT <MQ_QMNAME>.SUBSCRIBE.SYSTEM.BROKER.MB.TOPIC CLASS(MXTOPIC) ID(TASKID) ACCESS(ALTER)
- Optionally, allow additional users to subscribe to those topics (required for web users or for external consumers of events) PERMIT as above for the additional user IDs.
For users connecting remotely from the
IBM Integration Explorer, the IBM Integration Toolkit or from
an CMP application to the broker
on
z/OS, the following authorizations
are required.
CMP applications
include the commands that use that interface;
mqsichangeresourcestats, mqsicreateexecutiongroup,
mqsideleteexecutiongroup,
mqsideploy,
mqsilist, mqsimode,
mqsireloadsecurity,
mqsireportresourcestats, mqsistartmsgflow, and
mqsistopmsgflow.
- Connection security: READ access to profile <MQ_QMNAME>.CHIN of
class MQCONN. For example, for queue manager MQP1 and
started task ID TASKID, use the following RACF commands:
RDEFINE MQCONN MQP1.CHIN UACC(NONE)
PERMIT MQP1.CHIN CLASS(MQCONN) ID(TASKID) ACCESS(READ)
- Alternate user security: Define the alternate user authority
as: UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of
class MQADMIN, where id represents
the user ID of the IBM Integration Toolkit or CMP application. For example, for
queue manager MQP1, started task ID TASKID,
and user ID USERID, use the following RACF commands:
RDEFINE MQADMIN MQP1.ALTERNATE.USER.USERID UACC(NONE)
PERMIT MQP1.ALTERNATE.USER.USERID CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)