| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| ACF2 switch profiles for QSG rule checks |
« View previous topic :: View next topic » |
| Author |
Message
|
| JonB |
 Posted: Tue Aug 21, 2007 6:56 am Post subject: ACF2 switch profiles for QSG rule checks |
 |
|
Apprentice
Joined: 14 Nov 2002
Posts: 27
Location: Dublin, Ireland
|
Hi,
I have a question on the security switches for MQ, which I hope someone might be able to help me with. Historically we had only 1 queue manager in our development and production environments on z/OS, and a number of years ago we implemented a QSG by adding a second queue manager in both environments.
All of our security was always and still is written at queue manager level, I would like our security team to start moving the rules to the Queue Sharing Group level. We are an ACF2 shop.
Currently our switches in our two development queue managers (CSQ1 and CSQ2) are as follows:
CSQ1 Switches . . . . . . . . . :
SUBSYSTEM: ON, 'CSQ1.YES.SUBSYS.SECURITY' FOUND
QMGR: ON, 'CSQ1.NO.QMGR.CHECKS' OVERRIDDEN
QSG: ON, 'CSQ1.NO.QSG.CHECKS' OVERRIDDEN
CONNECTION: ON, 'CSQ1.YES.CONNECT.CHECKS' FOUND
COMMAND: ON, 'CSQ1.YES.CMD.CHECKS' FOUND
CONTEXT: ON, 'CSQ1.YES.CONTEXT.CHECKS' FOUND
ALTERNATE USER: OFF, 'CSQ1.NO.ALTERNATE.USER.CHECKS' FOUND
PROCESS: ON, 'CSQ1.YES.PROCESS.CHECKS' FOUND
NAMELIST: ON, 'CSQ1.YES.NLIST.CHECKS' FOUND
QUEUE: OFF, 'CSQ1.NO.QUEUE.CHECKS' FOUND
COMMAND RESOURCES: OFF, 'CSQ1.NO.CMD.RESC.CHECKS' FOUND
Switches . . . . . . . . . :
SUBSYSTEM: ON, 'CSQ2.YES.SUBSYS.SECURITY' FOUND
QMGR: ON, 'CSQ2.NO.QMGR.CHECKS' OVERRIDDEN
QSG: ON, 'CSQ2.NO.QSG.CHECKS' OVERRIDDEN
CONNECTION: ON, 'CSQ2.YES.CONNECT.CHECKS' FOUND
COMMAND: ON, 'CSQ2.YES.CMD.CHECKS' FOUND
CONTEXT: ON, 'CSQ2.YES.CONTEXT.CHECKS' FOUND
ALTERNATE USER: OFF, 'CSQ2.NO.ALTERNATE.USER.CHECKS' FOUND
PROCESS: ON, 'CSQ2.YES.PROCESS.CHECKS' FOUND
NAMELIST: ON, 'CSQ2.YES.NLIST.CHECKS' FOUND
QUEUE: OFF, 'CSQ2.NO.QUEUE.CHECKS' FOUND
COMMAND RESOURCES: OFF, 'CSQ2.NO.CMD.RESC.CHECKS' FOUND
What I would like to do is enable both QSG and Queue Manager checks. I have gone through presentations, and manuals, but I am going around in circles. this mainly due to the way ACF2 works...
The switch profiles (SAFDEFS) we have in ACF2 for CSQ1 are as follows, the equivalent are also set for CSQ2:
SYSA / SAFDEF.MQMC1
FUNCRET(8) FUNCRSN(0) ID(MQM1) MODE(IGNORE)
RACROUTE(REQUEST=EXTRACT CLASS=MQADMIN
ENTITYX=CSQ1.NO.SUBSYS.SECURITY) RETCODE(4)
SYSA / SAFDEF.MQMC2
FUNCRET(8) FUNCRSN(0) ID(MQM2) MODE(IGNORE)
RACROUTE(REQUEST=EXTRACT CLASS=MQADMIN
ENTITYX=CSQ1.NO.CMD.CHECKS) RETCODE(4)
SYSA / SAFDEF.MQMC3
FUNCRET(8) FUNCRSN(0) ID(MQM3) MODE(IGNORE)
RACROUTE(REQUEST=EXTRACT CLASS=MQADMIN
ENTITYX=CSQ1.NO.CONNECT.CHECKS) RETCODE(4)
SYSA / SAFDEF.MQMC4
FUNCRET(8) FUNCRSN(0) ID(MQM4) MODE(IGNORE)
RACROUTE(REQUEST=EXTRACT CLASS=MQADMIN
ENTITYX=CSQ1.NO.QUEUE.CHECKS) RETCODE(4)
SYSA / SAFDEF.MQMC5
FUNCRET(8) FUNCRSN(0) ID(MQM5) MODE(IGNORE)
RACROUTE(REQUEST=EXTRACT CLASS=MQADMIN
ENTITYX=CSQ1.NO.PROCESS.CHECKS) RETCODE(4)
SYSA / SAFDEF.MQMC6
FUNCRET(8) FUNCRSN(0) ID(MQM6) MODE(IGNORE)
RACROUTE(REQUEST=EXTRACT CLASS=MQADMIN
ENTITYX=CSQ1.NO.NLIST.CHECKS) RETCODE(4)
SYSA / SAFDEF.MQMC7
FUNCRET(8) FUNCRSN(0) ID(MQM7) MODE(IGNORE)
RACROUTE(REQUEST=EXTRACT CLASS=MQADMIN
ENTITYX=CSQ1.NO.CONTEXT.CHECKS) RETCODE(4)
Can someone possibly point me in the right direction to enable the QSG rule checks.
Thanks
Jon.
_________________
Jon Barry
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified Solution Designer - WebSphere MQ V5.3 |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Tue Aug 21, 2007 7:38 am Post subject: |
|
|
Guest
|
| Quote: |
| What I would like to do is enable both QSG and Queue Manager checks |
Please read z/OS MQ System Setup Guide, Part 5 Using RACF Classes and Profiles. (ACF2 must respond to RACROUTE requests from MQ as does RACF.)
Next read the MQ Security manual.
Briefly, you can use both the qmgr name and the queue-sharing group name in your profiles and switches. |
|
| Back to top |
|
|
| JonB |
| Posted: Tue Aug 21, 2007 7:52 am Post subject: |
|
|
Apprentice
Joined: 14 Nov 2002
Posts: 27
Location: Dublin, Ireland
|
Hi,
Thanks for the reply. As I detailed in my initial post, I have been through the manuals, and I have even gone through the Xephon journals, which have very good documentation on this subject.
I have managed to get the rules turned on, for QSG checking, but I am not sure if it is still checking the QMGR rules. Also all the manuals are relating to RACF and ACF2 does not work in the same fashion, it uses negative logic, where a 'NO' SAFDEF record returns a 'not found' condition to MQ.
ie: if no.subsys.security is not found subsys security is active; if no.connect.security is not found connection security is active.
I have tried setting numerous switches, but I suppose I am am not sure what the 'display security' command should return should we have it correct.
Thanks
Jon.
_________________
Jon Barry
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified Solution Designer - WebSphere MQ V5.3 |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Aug 21, 2007 8:14 am Post subject: |
|
|
Guest
|
By default z/OS MQ is delivered from the factory with security enabled. (This is not so in MQ for midrange platforms.) So, there must be an ACF2 switch and profile rule - qmgr or qsg - that allows access to an mq resource. Or alternatively, you can turn the security switches to no.
Think of these switches as light switches installed upside down. UP turns the light off; DOWN turns it ON.
If RACF/ACF2 is active and the MQADMIN class is installed and activated, then security switches will be interrogated to see what, if any, security checks will be made.
A QSG-level rules can protect all types of resources, both shared- and local. Confusion will likely be the result (already there?) if you mix qsg- and qmgr-level.
I'd strongly recommend NOT setting no. switches. That is, enable all security checking.
With all security checking enabled, create the appropriate profiles and rules for resources. Do this in your test environment; then migrate all this stuff to QA; then to production. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Aug 21, 2007 8:31 am Post subject: |
|
|
Guest
|
| Quote: |
| I am am not sure what the 'display security' command should return should we have it correct. |
The display security command tells you what switches are on/off. I'd be very suspicious if any of the NO.SECURITY switches were on - bypassing security checking. So, "correct" would mean to me that the qsg or qmgr will always ask ACF2 for a rule that allows access to resources.
From your original post:
QUEUE: OFF, 'CSQ2.NO.QUEUE.CHECKS' FOUND
COMMAND RESOURCES: OFF, 'CSQ2.NO.CMD.RESC.CHECKS' FOUND
No checking for access to queues; no checking for access to MQ commands. |
|
| Back to top |
|
|
| JonB |
| Posted: Thu Aug 23, 2007 5:45 am Post subject: |
|
|
Apprentice
Joined: 14 Nov 2002
Posts: 27
Location: Dublin, Ireland
|
The switches do NOT work the same in ACF2 as RACF. By default with ACF2 MQ security is disabled. Where in RACF it is ON.
In RACF if qmgr.NO.SUBSYS.SECURITY is defined it switched MQ subsystem security off. in ACF2 this must be defined to switch MQ security on!
This leads to a large amount of confusion. I have defined SAFDEF switches, so that I am getting the following:
SUBSYSTEM: ON, 'QMGR.YES.SUBSYS.SECURITY' FOUND
QMGR: ON, 'QMGR.YES.QMGR.CHECKS' FOUND
QSG: ON, 'QMGR.YES.QSG.CHECKS' FOUND
To get to this stage I have had to define the following switches:
QMGR.NO.SUBSYS.SECURITY
QMGR.NO.QMGR.CHECKS
QMGR.NO.QSG.CHECKS
We now have the switches saying what I think they should be saying, but the queue profile rules written for the QSG are still not getting used.
Do I need to set the subsystem security on at a QSG level instead possibly?
_________________
Jon Barry
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified Solution Designer - WebSphere MQ V5.3 |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Aug 23, 2007 7:09 am Post subject: |
|
|
Guest
|
Security generally, and all these switch settings are explained detail in the z/OS MQ System Setup Guide, Part 5, MQ v6.
I'm mostly a RACF guy. MQ wants/needs what's defined in the IBM MQ manuals for switches, resource profiles and rules. IBM doc refers to MQ's interaction with an ESM (External Security Manager), and that three ESMs are available: RACF, ACF2, TopSecret. The remainder of the doc only refers to RACF stuff. That said, it's up to ACF2 to meet the MQ requirements for resource classes, switches, etc..
According to the MQ manuals, having both qsg and qmgr switches enabled works. It allows you to do the conversion from qmgr to qsg profiles.
I'd guess that you want both qsg and qmgr security checks ON (no NO* switches) to enable your qmgr checks to continue, and to allow you to create qsg rules.
Since you are doing this in a test environment, create qsg-level profiles that are more restrictive than the qmgr rules; then do some testing to see what fails and what works.
Did I understand you correctly? Does ACF allow access to a resource unless rules exists that deny the access? RACF implementations deny access unless a rule allows access. |
|
| Back to top |
|
|
| JonB |
| Posted: Thu Aug 23, 2007 7:25 am Post subject: |
|
|
Apprentice
Joined: 14 Nov 2002
Posts: 27
Location: Dublin, Ireland
|
I have inwardly digested the z/OS MQ System Setup Guide, Part 5, MQ v6, as well as Xephon Journals on this topic 
| Quote: |
I'd guess that you want both qsg and qmgr security checks ON (no NO* switches) to enable your qmgr checks to continue, and to allow you to create qsg rules.
|
In ACF2 you must have the NO* switches to enable the security (ridiculous I know, but that is the way it is)
| Quote: |
| Does ACF allow access to a resource unless rules exists that deny the access? |
From a switch profile point of view, If a switch is not defined to ACF2, MQ appears to see it as present. So for exanple if we wanted to turn off COMMAND checking, we would have to ensure that QMGR.NO.COMMAND.CHECKS is NOT defined as an ACF2 SAFDEF record. Its presence will turn on COMMAND checks, again a bit silly in my point of view!
I am now seriously wondering if I need to alter our subsystem switch. At the moment we have MGR1.NO.SUBSYS.SECURITY and MGR2.NO.SUBSYS.SECURITY set, which turn security on, from an MQ perspective. I am thinking maybe I need to have QSG.NO.SUBSYS.SECURITY set.
Here I go in circles again 
_________________
Jon Barry
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified Solution Designer - WebSphere MQ V5.3 |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Aug 23, 2007 7:48 am Post subject: |
|
|
Guest
|
YES means perform command checks; and NO means don't perform command checks.
From the System Setup (SC34-6583-00) guide p. 158:
Command security switch profile name = hlq.NO.CMD.CHECKS
You can override with qmgr-name.YES.CMD.CHECKS
hlq is either qmgr or qsg
I'm looking at p.158 of the System Setup Guide. There's a table with examples that follow that seem to address just what you are trying to accomplish.
Is there ACF doc that addresses MQ issues? |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Aug 23, 2007 8:01 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
| JonB |
| Posted: Thu Aug 23, 2007 8:06 am Post subject: |
|
|
Apprentice
Joined: 14 Nov 2002
Posts: 27
Location: Dublin, Ireland
|
Hi Roger,
Thanks for that..... we have been running successfully with ACF2 rules at a queue manager level for years. I want to enable the queue sharing group security.
Those are the SAFDEFS that are confusing.
Jon.
_________________
Jon Barry
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified Solution Designer - WebSphere MQ V5.3 |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Aug 23, 2007 8:12 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
I'll not an ACF2 guru but wouldn't you simply replace the queue manager name in the SAFDEF with the QSF name?
i.e.
| Code: |
Change
INSERT SAFDEF.MQA1 ID(MQA1) FUNCRET(8) MODE(IGNORE) RETCODE(4)-
RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,-
ENTITYX=MQA.NO.QUEUE.CHECKS) REP
to
INSERT SAFDEF.QSF1 ID(QSF1) FUNCRET(8) MODE(IGNORE) RETCODE(4)-
RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,-
ENTITYX=QSF.NO.QUEUE.CHECKS) REP |
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| JonB |
| Posted: Tue Aug 28, 2007 7:04 am Post subject: |
|
|
Apprentice
Joined: 14 Nov 2002
Posts: 27
Location: Dublin, Ireland
|
Thats for that I believe I have got it working, with both QSG and QMGR checks turned on
I now have one more question on the profiles.
Acccording to the System Setup Guide on Profiles for Queue Security:
"If your queue manager is a member of a queue-sharing group and you are using both queue manager and queue-sharing group level security, WebSphere MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue-sharing group name."
That is fine and I understand all of that. What I would like to know is that if WebSphere MQ finds a profile prefixed by the queue manager name, but there is no rule which satisfies the action on the queue, will WebSphere MQ then check in a profile prefixed by the queue-sharing group name, or will it just refuse the request?
_________________
Jon Barry
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified Solution Designer - WebSphere MQ V5.3 |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
