| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Restricting CSQUTIL |
« View previous topic :: View next topic » |
| Author |
Message
|
| PeterPotkay |
 Posted: Wed Apr 22, 2009 4:16 am Post subject: Restricting CSQUTIL |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
What is the best way to control this? Do you just control who can put to the command queue via RACF, and who cares if the whole world can try to run CSQUTIL? Or do you lock down the actual program somehow?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Apr 22, 2009 4:26 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
RACF is your friend. Typically control queue access, but if you wanted to lock down the loadlib.....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| kevinf2349 |
| Posted: Wed Apr 22, 2009 5:24 am Post subject: |
|
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
Peter,
I would be surprised if AMASPZAP wasn't protected at your site and all that is is a program too. I would protect it is tne same manner (using your sites current security system of choice). RACF, ACF2 and TopSecret all have the ability to protect programs by name as well as the libraries that they reside in. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Wed Apr 22, 2009 5:38 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
it's all racf
first you set security to allow users / groups to access csqutil (e.g. to access the load library)
for users and groups that are allowed to use csqutil you need to set proper security in MQ (access to SYSTEM.COMMAND.QUEUE, SYSTEM.COMMAND.REPLY.MODEL and SYSTEM.CSQUTIL.* queues) as described in the systen administration manual of z/OS (assuming queue security is enbaled)
To control the csqutil functions and commands what the users or groups are allowed to use you can use the MQSeries Security classes, like connect security, queue security, command security (there are more)
it is not very handsome to assign rights by userid, so best practice is to define groups in RACF with various rights, e.g. one group with display rights only and one group with modify rights only, then assign users to these groups. we also have groups by projects.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 22, 2009 5:47 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Mr Butcher wrote: |
| it is not very handsome to assign rights by userid, so best practice is to define groups in RACF with various rights, e.g. one group with display rights only and one group with modify rights only, then assign users to these groups. we also have groups by projects. |
You'll find most if not all z/OS sites have clearly defined RACF standards (including things like group membership) that you can just slot into.
Indeed, on most if not all sites, suggesting that the RACF standards might need to be amended will put you in meetings for months discussing this dangerous and radical move. Suggesting that they might need to be changed will probably have the IT security staff & auditors piling wood outside the office so you can be burnt for heresy........
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Apr 22, 2009 7:12 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
AMASPZAP is an interesting example. It is potentially the most damaging MVS utility; yet it lives in SYS1.LINKLIB, a dataset in the freebie list - a dataset whose name need not be known in order to execute programs in it.
RACF allows for rules about access to datasets, program execution, and program access to datasets.
Execution of the zap utility is usually restricted to jobs submitted by tech support folks - like SMP/E.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| cicsprog |
| Posted: Tue Apr 28, 2009 12:34 pm Post subject: |
|
|
Partisan
Joined: 27 Jan 2002
Posts: 347
|
| In ACF2 you could program path access....I don't think RACF has that feature yet...HINT IBM |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
