Protecting Resources › Message Queue Manager Protection

Message Queue Manager Protection

The IBM Message Queue Manager (MQSERIES or MQM) is an APPC‑based application. MQM performs SAF RACROUTE calls that can have an impact on your system security.

MQM Resource Classes

CA Top Secret has six MQSERIES (MQM) resource classes defined to the RDT.

To activate the MQSERIES resource classes

1. Enter the commands:

   TSS ADDTO(anydept) MQADMIN(csq1.)
   

   TSS ADDTO(anydept) MQQUEUE(csq1.)
   

   TSS ADDTO(anydept) MQCONN(csq1.)
   

   TSS ADDTO(anydept) MQCMDS(csq1.)
   

   TSS ADDTO(anydept) MQPROC(csq1.)
   

   TSS ADDTO(anydept) MQNLIST(csq1.)
   

   Note the following:

   • Replace csq1 with the name of each MQSERIES subsystem name.
   • The MQSERIES default subsystem name is CSQ1.
   • All MQSERIES resources must be owned in CA Top Secret via TSS ADDTO commands as shown above. Failure to add/own all MQSERIES resources results in MQSERIES denying access to resources for no obvious reason. Having all MQSERIES resources owned means that PERMITs must be setup before users can access MQSERIES. These PERMITs are discussed next.
2. Enter the command:

   TSS PER(acid) MQADMIN(csql.) 
                 ACCESS(UPDATE)
   

   The resource classes are authorized.

MQM Ownership Removal

To remove ownership of an MQSERIES (MQM) resource

1. Revoke all permissions for the resource. For example:

   TSS REV(acid) MQADMIN(csql.)
   

   You cannot specify an access level or the command will fail.

2. Remove the ownership of the MQSERIES (MQM) resource. For example:

   TSS REMOVE(anydept) MQADMIN(csql.)
   

MQM Started Task ACID

Create one ACID for the MQSERIES started‑task(s) and define the ACID in the CA Top Secret started task table. For example:

TSS CREATE(MQM) TYPE(USER)
                NAME('MQM ACID') 
                FACILITY(STC)
                DEPARTMENT(OPSDEPT)
                PASSWORD(NOPW,0)

TSS ADDTO(STC) ACID(MQM)
               PROCNAME(CSQ1MSTR)

MQM Facility Definition

Define a facility for MQSERIES (MQM) so that access of MQM by user ACIDs can be controlled. MQM signs on each user ACID in the MQM facility when MQM requests them. The MQM facility can control which ACIDs can use MQM.

The MQM initialization program is CSQ.

Example: define an MQM facility

This example defines an MQM facility:

TSS MODIFY FACILITY(USERx=NAME=MQM,PGM=CSQ)
TSS ADD(MQM) MASTFAC(MQM)

MQM Switch Profiles

Specific levels of security can be disabled in an MQM subsystem with switch profiles. A switch profile is a specifically named PERMIT given to an MQM subsystem. If the PERMIT exists, MQM recognizes the switch as being set. CA Top Secret does not allow masking of the switch names.

Example: switch profiles

This example sets the switch profile that disables MQM command security issue:

TSS PERMIT(mqm‑acid) MQADMIN(CSQ1.NO.CMD.CHECKS)

Level of MQM Security

The RESLEVEL permission can specify the level of MQSERIES (MQM) security in effect for any user or any CICS region. The level of access granted to the MQADMIN resource named csq1.RESLEVEL. is used to determine the level of MQSERIES security for that user or CICS region. Giving:

• READ or no‑access means the user or CICS region follows normal MQSERIES security checking
• ALTER authority exempts the user or CICS region from further MQSERIES security checking

  TSS PERMIT(acid) MQADMIN(csq1.RESLEVEL) 
                   ACCESS(ALL)
  

After changing a user's MQSERIES authority, issue the MQSERIES command REVERIFY SECURITY(userid) to notify MQSERIES to refresh the user within the MQSERIES region. The user cannot logoff/logon to make an MQSERIES‑related security change take effect. Use REVERIFY SECURITY(userid) command.

Access Profiles

You can set up, display, define, alter, and delete access profiles.

Examples: access profiles

This example grants functions:

TSS CREATE(MQMDISP) TYPE(PROFILE)
                    FACILITY(MQM) 
                    NAME('MQM ACCESS/DISPLAY')...

TSS PERMIT(MQMDISP) MQCONN (CSQ1.BATCH)
                    ACCESS(READ)

TSS PERMIT(MQMDISP) MQCMDS (CSQ1.DISPLAY)
                    ACCESS(READ)

TSS PERMIT(MQMDISP) MQQUEUE(CSQ1.SYSTEM.COMMAND.INPUT) 
                    ACCESS(UPDATE)

TSS PERMIT(MQMDISP) MQQUEUE(CSQ1.SYSTEM.CSQOREXX.)
                    ACCESS(UPDATE)

This example defines functions:

TSS CREATE(MQMDEF) TYPE(PROFILE) 
                   NAME('MQM DEFINE FUNCTIONS') ...

TSS PERMIT(MQMDEF) MQCMDS (CSQ1.DEFINE)
                   ACCESS(ALTER)

TSS PERMIT(MQMDEF) MQADMIN(CSQ1.QUEUE)
                   ACCESS(ALTER)

This example alters functions:

TSS CREATE(MQMALT) TYPE(PROFILE) 
                   NAME('MQM ALTER FUNCTIONS') ...

TSS PERMIT(MQMALT) MQCMDS(CSQ1.ALTER)
                   ACCESS(ALTER)

This example deletes functions:

TSS CREATE(MQMDEL) TYPE(PROFILE) 
                  NAME('MQM DELETE FUNCTIONS') ...

TSS PERMIT(MQMDEL) MQCMDS(CSQ1.DELETE)
                   ACCESS(ALTER) 

CICS MQSERIES Security

To enable MQSERIES security for CICS, the CICS region ACID needs:

• No access to the MQADMIN csq1.RESLEVEL resource
• All access to all other MQSERIES resources

To enable MQSERIES security for CICS:

• Remove the NORESCHK attribute from the CICS region ACID.
• The CICS region ACID may need permission to non‑MQSERIES related CICS resources. Bring up CICS without NORESCHK in a test and monitor for any resource violations against the CICS region ACID.
• Ensure the CICS region ACID is in FAIL mode.
• Give the CICS region ACID the following permissions:

  TSS PERMIT(cicsacid) MQADMIN(csq1.RESLEVEL) 
                       ACCESS(NONE)
  

  TSS PERMIT(cicsacid) MQADMIN(csq1.*) 
                       ACCESS(ALL)
  

  TSS PERMIT(cicsacid) MQQUEUE(csq1.*) 
                       ACCESS(ALL)
  

  TSS PERMIT(cicsacid) MQNLIST(csq1.*) 
                       ACCESS(ALL)
  

  TSS PERMIT(cicsacid) MQCMDS(csq1.*) 
                       ACCESS(ALL)
  

  TSS PERMIT(cicsacid) MQPROC(csq1.*) 
                       ACCESS(ALL)
  

  TSS PERMIT(cicsacid) MQCONN(csq1.CICS) 
                       ACCESS(ALL)