The IBM Message Queue Manager (MQSERIES or MQM) is an APPC‑based application. MQM performs SAF RACROUTE calls that can have an impact on your system security.
CA Top Secret has six MQSERIES (MQM) resource classes defined to the RDT.
To activate the MQSERIES resource classes
TSS ADDTO(anydept) MQADMIN(csq1.)
TSS ADDTO(anydept) MQQUEUE(csq1.)
TSS ADDTO(anydept) MQCONN(csq1.)
TSS ADDTO(anydept) MQCMDS(csq1.)
TSS ADDTO(anydept) MQPROC(csq1.)
TSS ADDTO(anydept) MQNLIST(csq1.)
Note the following:
TSS PER(acid) MQADMIN(csql.)
ACCESS(UPDATE)
The resource classes are authorized.
To remove ownership of an MQSERIES (MQM) resource
TSS REV(acid) MQADMIN(csql.)
You cannot specify an access level or the command will fail.
TSS REMOVE(anydept) MQADMIN(csql.)
Create one ACID for the MQSERIES started‑task(s) and define the ACID in the CA Top Secret started task table. For example:
TSS CREATE(MQM) TYPE(USER)
NAME('MQM ACID')
FACILITY(STC)
DEPARTMENT(OPSDEPT)
PASSWORD(NOPW,0)
TSS ADDTO(STC) ACID(MQM)
PROCNAME(CSQ1MSTR)
Define a facility for MQSERIES (MQM) so that access of MQM by user ACIDs can be controlled. MQM signs on each user ACID in the MQM facility when MQM requests them. The MQM facility can control which ACIDs can use MQM.
The MQM initialization program is CSQ.
Example: define an MQM facility
This example defines an MQM facility:
TSS MODIFY FACILITY(USERx=NAME=MQM,PGM=CSQ) TSS ADD(MQM) MASTFAC(MQM)
Specific levels of security can be disabled in an MQM subsystem with switch profiles. A switch profile is a specifically named PERMIT given to an MQM subsystem. If the PERMIT exists, MQM recognizes the switch as being set. CA Top Secret does not allow masking of the switch names.
Example: switch profiles
This example sets the switch profile that disables MQM command security issue:
TSS PERMIT(mqm‑acid) MQADMIN(CSQ1.NO.CMD.CHECKS)
The RESLEVEL permission can specify the level of MQSERIES (MQM) security in effect for any user or any CICS region. The level of access granted to the MQADMIN resource named csq1.RESLEVEL. is used to determine the level of MQSERIES security for that user or CICS region. Giving:
TSS PERMIT(acid) MQADMIN(csq1.RESLEVEL)
ACCESS(ALL)
After changing a user's MQSERIES authority, issue the MQSERIES command REVERIFY SECURITY(userid) to notify MQSERIES to refresh the user within the MQSERIES region. The user cannot logoff/logon to make an MQSERIES‑related security change take effect. Use REVERIFY SECURITY(userid) command.
You can set up, display, define, alter, and delete access profiles.
Examples: access profiles
This example grants functions:
TSS CREATE(MQMDISP) TYPE(PROFILE)
FACILITY(MQM)
NAME('MQM ACCESS/DISPLAY')...
TSS PERMIT(MQMDISP) MQCONN (CSQ1.BATCH)
ACCESS(READ)
TSS PERMIT(MQMDISP) MQCMDS (CSQ1.DISPLAY)
ACCESS(READ)
TSS PERMIT(MQMDISP) MQQUEUE(CSQ1.SYSTEM.COMMAND.INPUT)
ACCESS(UPDATE)
TSS PERMIT(MQMDISP) MQQUEUE(CSQ1.SYSTEM.CSQOREXX.)
ACCESS(UPDATE)
This example defines functions:
TSS CREATE(MQMDEF) TYPE(PROFILE)
NAME('MQM DEFINE FUNCTIONS') ...
TSS PERMIT(MQMDEF) MQCMDS (CSQ1.DEFINE)
ACCESS(ALTER)
TSS PERMIT(MQMDEF) MQADMIN(CSQ1.QUEUE)
ACCESS(ALTER)
This example alters functions:
TSS CREATE(MQMALT) TYPE(PROFILE)
NAME('MQM ALTER FUNCTIONS') ...
TSS PERMIT(MQMALT) MQCMDS(CSQ1.ALTER)
ACCESS(ALTER)
This example deletes functions:
TSS CREATE(MQMDEL) TYPE(PROFILE)
NAME('MQM DELETE FUNCTIONS') ...
TSS PERMIT(MQMDEL) MQCMDS(CSQ1.DELETE)
ACCESS(ALTER)
To enable MQSERIES security for CICS, the CICS region ACID needs:
To enable MQSERIES security for CICS:
TSS PERMIT(cicsacid) MQADMIN(csq1.RESLEVEL)
ACCESS(NONE)
TSS PERMIT(cicsacid) MQADMIN(csq1.*)
ACCESS(ALL)
TSS PERMIT(cicsacid) MQQUEUE(csq1.*)
ACCESS(ALL)
TSS PERMIT(cicsacid) MQNLIST(csq1.*)
ACCESS(ALL)
TSS PERMIT(cicsacid) MQCMDS(csq1.*)
ACCESS(ALL)
TSS PERMIT(cicsacid) MQPROC(csq1.*)
ACCESS(ALL)
TSS PERMIT(cicsacid) MQCONN(csq1.CICS)
ACCESS(ALL)
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|