ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Securitysecurity mq RACF Mainframe

Post new topicReply to topic
security mq RACF Mainframe View previous topic :: View next topic
Author Message
Karine
PostPosted: Fri Jun 08, 2018 1:20 am Post subject: security mq RACF Mainframe Reply with quote

Newbie

Joined: 08 Jun 2018
Posts: 1

Hello,

I am not a RACF administrator but I have to ask the team in charge of RACF to set up rights mqseries. We are in version 8.


- On production, I need :
- Application teams can't put, get or delete messages via their website (SVRCONN channel).
- View all mqseries objects on a qmgr but not create, delete or modify objects.

- On development, I need:
- The application teams have the rights to put, get and delete messages via their website.
- View all mqseries objects on a qmgr but not create, delete or modify objects.


For each RACF class, what should I ask to RACF team ?

Thank you in advance for your help.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri Jun 08, 2018 4:33 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8418
Location: US: west coast, almost. Otherwise, enroute.

How do you ask your midrange admins for similar authorizations?

Have your asked your m/f security folks? What did they say?
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Jun 08, 2018 5:08 am Post subject: Re: security mq RACF Mainframe Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25732
Location: Ohio, USA

Karine wrote:
For each RACF class, what should I ask to RACF team ?


You shouldn't need new classes.

Have you read this?

If this is a new z/OS install, they will need to enable security as described. Once the RACF team have done this, you'll need to list out for them the profiles, users and access levels you need.

You mention a website; does that use a non-human id to access MQ or pass the users through? In any event you'll need to ask how (or if) distributed ids map to RACF ids at your site. If they don't, you will need to establish the correct UACC on the profile.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Jun 08, 2018 5:33 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25732
Location: Ohio, USA

Top tip - when someone tries an operation that fails, impress on them the need to record the exact date and time of the failure. RACF is very good at logging requests it refuses and the information contained in the syslog is invaluable in working out which profile was invoked and what happened.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Jun 10, 2018 7:41 am Post subject: Re: security mq RACF Mainframe Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8418
Location: US: west coast, almost. Otherwise, enroute.

Karine wrote:
Hello,

I am not a RACF administrator ...


Your requirements for securing MQ objects are no different on z/OS than on midrange windows/unix. That is, who (which groups/userids) can access what resources (queues) with what access (get, put, browse, ...). MQ admins do not specifically request o/s features (inodes, semaphores, RAM) for MQ-using apps.

As mentioned by my worthy associate, in order to meet your general requirements, the z/OS security folks will need to enable some RACF-specific things (user/group/resource profiles) - if they have not already done so.
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Mon Jun 11, 2018 5:08 pm Post subject: Re: security mq RACF Mainframe Reply with quote

Padawan

Joined: 25 Mar 2003
Posts: 1982
Location: Melbourne, Australia

Karine wrote:
Hello,
I am not a RACF administrator but I have to ask the team in charge of RACF to set up rights mqseries. We are in version 8.

As an MQ administrator on z/OS, you need to gain an understanding of how MQ uses z/OS sercurity services (eg. RACF) to provide authorizations. You will then know what requests to make to the RACF team. There are plenty of resources on Internet that cover this topic, eg.
https://www.ibm.com/developerworks/websphere/library/techarticles/1103_schneider/1103_schneider.html
https://www.ibm.com/developerworks/websphere/library/techarticles/1003_schneider/1003_schneider.html
_________________
Glenn
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Securitysecurity mq RACF Mainframe
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.