Administration security overview

On z/OS®, WebSphere MQ uses the System Authorization Facility (SAF) to route requests for authority checks to an external security manager (ESM) such as the z/OS Security Server Resource Access Control Facility (RACF®). WebSphere MQ does no authority checks of its own. All information about broker administration security on z/OS assumes that you are using RACF as your ESM. If you are using a different ESM, you might need to interpret the information provided for RACF in a way that is relevant to your ESM.

If you are activating security on the WebSphere MQ queue manager on z/OS for the first time, you must set up the profiles or other resources that are required by your ESM to access queues. You must also check that the queue manager is configured to access the security profiles in the correct class; MQQUEUE for uppercase queue names and MXQUEUE for mixed case queue names.

For further information about queue manager security and security profiles, see the z/OS System Administration Guide and z/OS System Setup Guide sections of the WebSphere MQ Version 7 product documentation online.

If you have activated broker administration security, all actions performed by users of the following interfaces are subject to authority checking:

• IBM Integration Toolkit sessions
• IBM Integration Explorer sessions
• IBM Integration Bus
• Java™ programs that use the REST API to perform operations on the broker
• Java programs that use the CMP to perform operations on the broker
• All the following commands:
  • mqsichangeresourcestats
  • mqsicreateexecutiongroup
  • mqsideleteexecutiongroup
  • mqsideploy
  • mqsilist
  • mqsimode
  • mqsireloadsecurity
  • mqsireportresourcestats
  • mqsistartmsgflow
  • mqsistopmsgflow
  • mqsiwebuseradmin

  For additional authorization required for these commands, see Commands and authorizations for broker administration security.

  You can run all commands that are not stated here only on the computer on which the broker is running. Either your user ID, or the ID under which the broker is running, must be a member of the security group mqbrkrs when you run the unlisted commands. Each command topic describes the authority that is required.

Users of the IBM Integration Explorer and IBM Integration Toolkit who do not have read, write, and execute authority for the broker or integration servers, have only restricted access to those resources. An icon is displayed against each resource to indicate that user authority is restricted. The actions that the user can request against a resource are determined by the restricted authority that is in place for that user.

If a user ID is granted authority to access a broker, the access is retained at least until the current connection or session is ended by one of the following events:

• The user closes the IBM Integration Explorer or IBM Integration Toolkit session
• The CMP application disconnects from the BrokerProxy object

Even if you update or remove the authority for this user ID, the authorization does not change while the connection is active.

However, authorization is always checked for operations against integration servers and message flows; if you change or remove the authorization for a user ID to an integration server, subsequent requests in the current connection might fail.

In your environment, a check on the user ID making a request might not provide a sufficient level of security. If you require a more secure solution, one or both of the following options are available:

• You can enable SSL on a WebSphere MQ client connection between the source of the request (for example, the IBM Integration Explorer) and the target queue manager on which the broker is running.
• You can configure your WebSphere MQ network so that certain types of users can be directed through a specific server connection (SVRCONN) channel, provided they comply with the CHLAUTH rules. For details of channel security, see the System Administration Guide section in the WebSphere MQ Version 7 product documentation online.