ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Setting up security on z/OS

Post new topic  Reply to topic
 Setting up security on z/OS « View previous topic :: View next topic » 
Author Message
kordi
PostPosted: Wed Jul 22, 2020 11:53 pm    Post subject: Setting up security on z/OS Reply with quote

Centurion

Joined: 28 May 2012
Posts: 145
Location: PL

Dear MQ Specialists,

As I am totally new to mainframe and I am facing problems that have had never before on distributed platforms.

I basically try to set up OAM on z/OS. While it is pleasure and piece of cake on linux, RACF is a kind of magic to me.

Right now I am testing how can I secure channels and queues using standard chlauth features. This is what I am doing:
1. maping linux user to RACF non priviliged user on z/OS with chlauth - works
2. granting put/get on queue for this non priviliged user with RACF profiles - doeasn't.

In the logs I am getting this error comming from channel initiator user

ICH408I USER({username}) GROUP($PROC ) NAME(MQS CHANNEL STC )
MQU2.UKURS7.PYTHON.QL CL(MQQUEUE )
INSUFFICIENT ACCESS AUTHORITY
FROM MQU2.** (G)
ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE )

I am bit confused because I would assume channel initiator should have access to this queue but it has not. Should I grant access of chint user to every and each new queue? What are the best practises for securing MQ on z/OS that you would recommend?

I much appreciate any help.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Jul 23, 2020 4:45 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Doesn't the CHINIT need access to all queues, in case the channel agent has to put a message to it?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Thu Jul 23, 2020 5:00 am    Post subject: Re: Setting up security on z/OS Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

kordi wrote:
I basically try to set up OAM on z/OS. While it is pleasure and piece of cake on linux, RACF is a kind of magic to me.


Dark, dark magic. We use it to scare off the distributed people.

kordi wrote:
I am bit confused because I would assume channel initiator should have access to this queue but it has not.


Aside from the usual advice to never assume anything, the design position of RACF as a security subsystem is "no you can't". So unless you have granted the chiint user access to the queues, it won't have access, which seems to be the position.

kordi wrote:
Should I grant access of chint user to every and each new queue?


Yes.

But that's not as hard as it sounds. Please take a seat, RACF 101 is in session:

Observe the error:
Code:

MQU2.UKURS7.PYTHON.QL CL(MQQUEUE )
INSUFFICIENT ACCESS AUTHORITY
FROM MQU2.** (G)
ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE )


RACF is dark magic, but it does try to help. It tells you the object name, the type and critically the RACF profile (MQU2.**) as well as the access requested. So you can fix this by amending that profile so that the user has UPDATE access.

Note the ** and the (G). This means that the profile applies to all objects that match, so by doing this you've given the chiint user get/put access to every queue that starts with MQU2. Even ones that don't exist yet.

Class ends, there may be a test later.

kordi wrote:
What are the best practises for securing MQ on z/OS that you would recommend?


Get yourself someone on the z/OS system programming team to help. Hopefully whoever's changing these profiles for you as I doubt you have the access to do it yourself (and if you have, be very careful - a really simple mistake can lock people out of z/OS. There's no equivalent of a root user who can go in and fix things)

Plan carefully. Look at the z/OS object names and the documented RACF profile types in the MQ documentation. Create the minimum number of profiles you need using wildcards and RACF user groups.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
kordi
PostPosted: Thu Jul 23, 2020 5:07 am    Post subject: Reply with quote

Centurion

Joined: 28 May 2012
Posts: 145
Location: PL

I much appreciate you answers, especially these sarcastic

So what I understood there are two steps in order to have non priviliged user accessed the queue:
1. First (is it something you do right after you install MQ in zOS?) grant chint user to access all queues.
2. grant regular user access to specific queue where it wants to get/put messages.

Is this correct?
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Jul 23, 2020 5:50 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

kordi wrote:
I much appreciate you answers, especially these sarcastic


I'm full service; information with sarcasm at no extra charge.

kordi wrote:
Is this correct?


Not quite. On z/OS there's no such thing as a privileged user; there's no equivalent of mqm who's allowed to access everything. So every user (including the one running the MQ subsystem with a queue manager in it) has to be authorized through RACF. So you get users (like the subsystem user and the chiint user) who are on more, and more generic, RACF profiles than other users but there's nothing inherent about them that gives them access. Setting that up is one of the install steps in the MQ z/OS documentation (which I urge you to have a read of; there's a lot of information about RACF buried in there)

So to your steps:

1. Make sure "system level" users like chiint have access to all the resources they need. This is, as you say, typically done after install and with sufficiently generic profiles that you don't need to modify them much in the future.

2. Grant other users access to their specific application queues. I strongly, strongly, strongly recommend that you make full use of RACF groups and wildcard profiles to keep the number of definitions down. It's very easy to bury yourself in an administrative nightmare. Adjust queue naming standards if needed. Also discuss with your z/OS sys prog if you can avoid specifying names or groups with the UACC attribute in some cases.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
kordi
PostPosted: Thu Jul 23, 2020 12:37 pm    Post subject: Reply with quote

Centurion

Joined: 28 May 2012
Posts: 145
Location: PL

Vitor wrote:


I'm full service; information with sarcasm at no extra charge.



Sarcasm is the highest form of intelligence, researchers say

I really do (and it is not a sarcasm) appreciate your help. As I am totally new to MF and have much more experianced team mates in old yet beautiful z/OS I will discuss RACF misteries further with them.

Assuming you can manage MQ everywhere because you are good at it on distributed systems is horribly wrong

You did one more good deed today Victor, many thanks!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Setting up security on z/OS
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.