| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| RACF MQCONN question |
« View previous topic :: View next topic » |
| Author |
Message
|
| PeterPotkay |
 Posted: Tue Dec 29, 2009 4:56 pm Post subject: RACF MQCONN question |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7717
|
We are just starting to experiment with RACF and MQ.
Test Queue Manager is MQX1 oz z/OS 1.10 with MQ 7.
The requirement is that the hlq.NO.CONNECT.CHECKS switch profile is not defined. That's it - that is the entire requirement at this point.
MQX1.NO.SUBSYS.SECURITY is NOT defined.
So if I then ask the RACF dudes and dudettes to define the following:
| Code: |
RDEFINE MQCONN MQX1.BATCH UACC(READ)
RDEFINE MQCONN MQX1.CICS UACC(READ)
RDEFINE MQCONN MQX1.IMS UACC(READ)
RDEFINE MQCONN MQX1.CHIN UACC(READ)
|
And then ask them to make sure this profile does NOT exist:
| Code: |
RDEFINE MQADMIN MQX1.NO.CONNECT.CHECKS
|
I then restart the QM, verify with the DISPLAY SECURITY command that the MQX1.NO.CONNECT.CHECKS switch was NOT found, and I'm good? The requirement is met, yet no one will be impacted because my UACCs are all set to READ, meaning everyone can still connect?
I know this in itself is pointless from a security perspective, but I'm just trying to satisify the initial requirement right now and will clamp down tighter as we move forward.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Tue Dec 29, 2009 6:37 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9400
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
The requirement is that the hlq.NO.CONNECT.CHECKS switch profile is not defined. That's it - that is the entire requirement at this point.
MQX1.NO.SUBSYS.SECURITY is NOT defined.
So if I then ask the RACF dudes and dudettes to define the following:
Code:
RDEFINE MQCONN MQX1.BATCH UACC(READ)
RDEFINE MQCONN MQX1.CICS UACC(READ)
RDEFINE MQCONN MQX1.IMS UACC(READ)
RDEFINE MQCONN MQX1.CHIN UACC(READ) |
I rented an old house in San Francisco a long time ago. The light switches, just like these RACF switches, were installed upside down. You flip them up (ON) to turn the lights OFF.
So, not defining the NO.SUBSYS.SECURITY switch, security checks will be made - depending on the remaining switches - also installed upside down.
Since the requirement is to impose MQCONN checks, the NO.CONNECT.CHECKS switch must not be defined.
Setting the MQCONN profiles UACC(READ) for .BATCH, .CICS, .IMS and MCA (.CHIN), allows everyone to MQCONN.
Is anything being done with ssid.RESLEVEL? At MQCONN time, there is a second check against the ssid.RESLEVEL profile.
| Quote: |
| I know this in itself is pointless from a security perspective, but I'm just trying to satisify the initial requirement right now and will clamp down tighter as we move forward. |
This is a good way to begin securing stuff. RACF is very flexible. It allows for a warning (as opposed to a fail) if a new rule is implemented as part of testing.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Tue Dec 29, 2009 11:27 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
afaik, UACC profiles will not work for restricted users. they must be granted access to that profile either by userid or by group.
however, this only comes into account if you have these kind of users , and if these need to connect to MQ.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Dec 30, 2009 12:58 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
| bruce2359 wrote: |
I rented an old house in San Francisco a long time ago. The light switches, just like these RACF switches, were installed upside down. You flip them up (ON) to turn the lights OFF. |
I've often wondered why the USA has all their light switches upside down - over here it is down for ON and up for OFF!
But then we do drive on the left.... |
|
| Back to top |
|
|
| nathanw |
| Posted: Wed Dec 30, 2009 1:44 am Post subject: |
|
|
Knight
Joined: 14 Jul 2004
Posts: 550
|
| zpat wrote: |
But then we do drive on the left.... |
which of course is the right side to drive
_________________
Who is General Failure and why is he reading my hard drive?
Artificial Intelligence stands no chance against Natural Stupidity.
Only the User Trace Speaks The Truth  |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Dec 30, 2009 7:00 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9400
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
afaik, UACC profiles will not work for restricted users. they must be granted access to that profile either by userid or by group.
however, this only comes into account if you have these kind of users , and if these need to connect to MQ. |
Mr. Butcher is referring to the most restrictive rule applies theme of RACF. So, if some other rule denies MQCONN, then that user or group cannot MQCONN.
Of course, the best-practice is to set UACC for everything to none, then grant access by rule. I believe this is likely the destination Mr. Potkay has in mind.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Dec 30, 2009 7:27 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7717
|
Yup, eventually UACC will be NONE and the specific IDs and Groups will be granted ACCESS(READ) to the MQCONN class. Baby steps.
The auditors do not have any rules around who can connect. The only requirement dealing with MQCONN is specifically that the hlq.NO.CONNECT.CHECKS switch profile is not defined. If that's what they want, that's what they'll get!
I have to go thru and deal with the rest of the classes as well. Some are more restrictive than others. My goal is to meet the auditors requirements in Phase I. Phase II will be to apply some common sense to it while still meeting the requirements.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Dec 30, 2009 8:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| PeterPotkay wrote: |
| ...Phase II will be to apply some common sense to it while still meeting the requirements. |
Don't let them catch you doing this  - auditors and common sense are mutually exclusive! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
