| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| QMgr Profile and RACF |
« View previous topic :: View next topic » |
| Author |
Message
|
| RogerLacroix |
 Posted: Wed Apr 08, 2009 8:07 am Post subject: QMgr Profile and RACF |
 |
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
All,
I have very limited experience with RACF. (I'm more familiar with ACF2.)
What is the RACF QMgr profile called for security checks when a connection is made?
If I run a Windows MQ program (that uses a Windows UserID not known to z/OS), connection works but the MQOPEN fails with reason code 2035 (not authorized) - which is good.
I would like the MQCONN to fail with 2035 but I don't know what RACF QMgr profile to set / create to cause a security check on the connection.
Any thoughts?
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Wed Apr 08, 2009 9:12 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
There's an MQCONN resource class in RACF used for connection security profiles.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| ctefehinoz |
| Posted: Wed Apr 08, 2009 6:09 pm Post subject: |
|
|
Apprentice
Joined: 27 Oct 2003
Posts: 29
Location: Australia
|
Don't forget to check whether a QMGR.NO.CONNECT.CHECKS profile exists in the MQADMIN class or have a look in the MSTR address space syslog for whether it exists or not.
For the QMGR.CHIN MQCONN profile, and depending on what the shop has set up, a UACC or READ should be good enough. If the UACC is NONE, add the CHIN STC (or group) to the access list with READ. Toggle at will. Also after a profile change don't forget to issue a RACF SETROPTS and an MQ REFRESH SECURITY and possibly an MQ RVERIFY .
HTH
Ctefehinoz |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu Apr 09, 2009 2:06 am Post subject: Re: QMgr Profile and RACF |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| RogerLacroix wrote: |
All,
I have very limited experience with RACF. (I'm more familiar with ACF2.)
What is the RACF QMgr profile called for security checks when a connection is made?
If I run a Windows MQ program (that uses a Windows UserID not known to z/OS), connection works but the MQOPEN fails with reason code 2035 (not authorized) - which is good.
I would like the MQCONN to fail with 2035 but I don't know what RACF QMgr profile to set / create to cause a security check on the connection.
Any thoughts?
Regards,
Roger Lacroix |
In my experience of writing security exits for z/OS MQ client channels, there is no check at MQCONN time for a valid MCA userid. The first point that RACF authorisation comes into play is when the app opens its first object. Then it can return a 2035 on the MQOPEN or MQPUT1 call.
The ssid.CHIN profile in the MQCONN class authorises the userid of the channel initiator started task to connect to the queue manager. I don't think it can be used to control access by "remote" userids connecting to the chin.
See "Profiles for Connection Security" in Ch.7 of "WMQ z/OS System Setup Guide V7.0".
_________________
Glenn |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
