WebSphere Message Broker, Version 8.0.0.7
Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS
See information about the latest product version
See information about the latest product version
Summary of required access (z/OS)
The professionals in your organization require access to components and resources on z/OS®.
Authorizations required for the WebSphere Message Broker started-task user ID
The following directory authorizations are required for
all brokers:
- READ and EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where WebSphere® Message Broker for z/OS is installed by SMP/E.
- READ, WRITE, and EXECUTE access to the component directory ++COMPONENTDIRECTORY++.
- READ and WRITE access to the home directory.
- READ and WRITE access to the directory identified by ++HOME++.
- In UNIX System Services, the started task user ID and the WebSphere Message Broker administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these resources. The owner of these directories must give the appropriate permissions to this group.
All brokers need the following RACF® authorizations:
- READ and WRITE access to RACF class BPX.SMF, when you need to create SMF 117 records for accounting and statistics.
- READ access to the CSFRNG resource in the CSFSERV class.
READ access to the component PDSE is required.
WebSphere MQ authorizations
Enable WebSphere MQ security to protect your WebSphere MQ resources. If all WebSphere MQ security switches are enabled, define the following profiles, and give the started task user ID the listed access to each profile. For each profile access listed, <MQ_QMNAME> represents the WebSphere MQ queue manager that the WebSphere Message Broker component is connected to, and TASKID represents the started task user ID.
- Connection security: READ access to profile <MQ_QMNAME>.BATCH of
class MQCONN. For example, for queue manager MQP1 and started task
ID TASKID, use the RACF commands:
RDEFINE MQCONN MQP1.BATCH UACC(NONE) PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(READ)
- Connection security when content-based filtering with publish/subscribe is used: UPDATE
access to profile <MQ_QMNAME>.BATCH of class MQCONN. For
example, for queue manager MQP1 and started task ID TASKID, use
the RACF commands:
RDEFINE MQCONN MQP1.BATCH UACC(NONE) PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(UPDATE)
- Queue security: UPDATE access to profile <MQ_QMNAME>.queue of
class MQQUEUE for all queues. Consider creating profiles for the following queues:
- All component queues, by using the generic profile SYSTEM.BROKER.**
- All transmissions queues that you have defined between component queue managers.
- All queues that you have specified in message flows.
- Dead-letter queues.
- Model queues.
RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE) PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(TASKID) ACCESS(UPDATE)
- Context security: CONTROL access to profile <MQ_QMNAME>.CONTEXT of
class MQADMIN. For example, for queue manager MQP1 and started
task ID TASKID, use the following RACF
commands:
RDEFINE MQADMIN MQP1.CONTEXT UACC(NONE) PERMIT MQP1.CONTEXT.** CLASS(MQADMIN) ID(TASKID) ACCESS(CONTROL)
- Alternate user security: Define the alternate user authority as: UPDATE access to profile
<MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where
id represents the start task ID of the broker component. For example, for queue
manager MQP1, started task ID TASKID, and configuration service ID
CFGID, use the following RACF commands:
UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where id represents the user ID of, for example, a publish/subscribe request.RDEFINE MQADMIN MQP1.ALTERNATE.USER.CFGID UACC(NONE) PERMIT MQP1.ALTERNATE.USER.CFGID CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)
- Process and namelist security: If you have WebSphere MQ security switches enabled in your system for process and namelist security, you do not have to define access profiles in a WebSphere Message Broker default configuration.
- Topic security:
- Create an RACF profile to control publishing and subscribing for the administrative MQ topic SYSTEM.BROKER.MB.TOPIC:
RDEFINE MXTOPIC <MQ_QMNAME>.PUBLISH.SYSTEM.BROKER.MB.TOPIC UACC(NONE) RDEFINE MXTOPIC <MQ_QMNAME>.SUBSCRIBE.SYSTEM.BROKER.MB.TOPIC UACC(NONE)
- Grant the broker's started task ID the ability to publish on that topic:
PERMIT <MQ_QMNAME>.PUBLISH.SYSTEM.BROKER.MB.TOPIC CLASS(MXTOPIC) ID(TASKID) ACCESS(UPDATE)
- Allow the broker to subscribe to its own topics:
PERMIT <MQ_QMNAME>.SUBSCRIBE.SYSTEM.BROKER.MB.TOPIC CLASS(MXTOPIC) ID(TASKID) ACCESS(ALTER)
- Optionally, allow extra users to subscribe to those topics (required for web users or for external consumers of events) by using PERMIT as shown in the previous example for the additional user IDs.
- Create an RACF profile to control publishing and subscribing for the administrative MQ topic SYSTEM.BROKER.MB.TOPIC:
For users connecting remotely from the WebSphere Message Broker Explorer, the WebSphere Message Broker Toolkit or from a CMP API
application to the broker on z/OS,
the following authorizations are required. CMP applications include the commands
that use that interface; mqsichangeresourcestats, mqsicreateexecutiongroup, mqsideleteexecutiongroup, mqsideploy, mqsilist, mqsimode, mqsireloadsecurity, mqsireportresourcestats, mqsistartmsgflow, and mqsistopmsgflow.
- Connection security: READ access to profile <MQ_QMNAME>.CHIN of
class MQCONN. For example, for queue manager MQP1 and
started task ID TASKID, use the following RACF commands:
RDEFINE MQCONN MQP1.CHIN UACC(NONE) PERMIT MQP1.CHIN CLASS(MQCONN) ID(TASKID) ACCESS(READ)
- Alternate user security: Define the alternate user authority
as: UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of
class MQADMIN, where id represents
the user ID of the WebSphere Message Broker Toolkit or CMP API application. For example, for
queue manager MQP1, started task ID TASKID,
and user ID USERID, use the following RACF commands:
RDEFINE MQADMIN MQP1.ALTERNATE.USER.USERID UACC(NONE) PERMIT MQP1.ALTERNATE.USER.USERID CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)
Authorizations required for the WebSphere Message Broker administrator
The broker administrator requires the following authorizations:
- ALTER access to the component PDSE.
- READ, WRITE, and EXECUTE access to the component directory ++COMPONENTDIRECTORY++.
- READ and EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where WebSphere Message Broker for z/OS is installed by SMP/E.
- READ and WRITE access to the directory identified by ++HOME++.
- In UNIX System Services, the started task user ID and the WebSphere Message Broker administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these resources. The owner of these directories needs to give the appropriate permissions to this group. In addition, the WebSphere Message Broker administrator must be a member of the group that is the primary group of the started task user ID.
Authorizations required for the WebSphere MQ administrator
If the WebSphere MQ administrator
runs the WebSphere MQ pass when creating
a broker, the administrator user ID requires the following authorizations.
Alternatively, you can grant authorization to the WebSphere Message
Broker administrator to run the WebSphere MQ pass.
- ALTER access to the component PDSE.
- Directory authorizations:
- READ and EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where WebSphere Message Broker for z/OS is installed by SMP/E.
- READ, WRITE, and EXECUTE access to the component directory ++COMPONENTDIRECTORY++.
- READ and WRITE access to the directory identified by ++HOME++.
Enable WebSphere MQ security
to protect your WebSphere MQ resources.
If all WebSphere MQ security switches
are enabled, define the following profiles and give the WebSphere MQ administrator the listed access
to each profile in order to run the WebSphere MQ configurations
jobs. For each profile access listed, MQ_QMNAME represents
the WebSphere MQ queue manager that the WebSphere Message
Broker component is connected to,
and MQADMIN represents the WebSphere MQ administrator ID:
- Connection security: READ access to profile <MQ_QMNAME>.BATCH of
class MQCONN. For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN,
use the following RACF commands:
RDEFINE MQCONN MQP1.BATCH UACC(NONE) PERMIT MQP1.BATCH CLASS(MQCONN) ID(MQADMIN) ACCESS(READ)
- Queue security: UPDATE access to profile <MQ_QMNAME>.queue of
class MQQUEUE for component queues created or deleted.
You can create a generic profile SYSTEM.BROKER.** For example, for
queue manager MQP1 and WebSphere MQ administrator ID MQADMIN,
use the following RACF commands
to restrict access to the component queues:
RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE) PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE)
- System command server: UPDATE access to profile <MQ_QMNAME>.queue of
class MQQUEUE for SYSTEM.COMMAND.**. For example,
for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN,
use the following RACF commands
to restrict access to the system command server:
UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for some system queues used during the create/delete job. You can create a generic profile <MQ_QMNAME>.**RDEFINE MQQUEUE MQP1.SYSTEM.COMMAND.** UACC(NONE) PERMIT MQP1.SYSTEM.COMMAND.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE)
- Command security:
- To run the WebSphere MQ pass when
creating a component you need:
- ALTER access to <MQ_QMNAME>.DEFINE.QLOCAL of class MQCMDS.
- ALTER access to <MQ_QMNAME>.DEFINE.QMODEL of class MQCMDS.
- ALTER access to <MQ_QMNAME>.DEFINE.CHANNEL of class MQCMDS.
- To run the WebSphere MQ pass when
deleting a component you need:
- ALTER access to <MQ_QMNAME>.DELETE.QLOCAL of class MQCMDS.
- ALTER access to <MQ_QMNAME>.DELETE.QMODEL of class MQCMDS.
- ALTER access to <MQ_QMNAME>.DELETE.CHANNEL of class MQCMDS.
RDEFINE MQCMDS MQP1.DELETE.QLOCAL UACC(NONE) PERMIT MQP1.DELETE.QLOCAL CLASS(MQCMDS) ID(MQADMIN) ACCESS(ALTER)
- To run the WebSphere MQ pass when
creating a component you need:
- Resource command security: ALTER access to MQP1.QUEUE.queue of
class MQADMIN for each queue created or deleted.
You can create a generic profile SYSTEM.BROKER.**. For example, for
queue manager MQP1 and WebSphere MQ administrator ID MQADMIN,
use the RACF commands:
RDEFINE MQADMIN MQP1.QUEUE.SYSTEM.BROKER.** UACC(NONE) PERMIT MQP1.QUEUE.SYSTEM.BROKER.** CLASS(MQADMIN) ID(MQADMIN) ACCESS(ALTER)
- Process and namelist security: If you have WebSphere MQ security switches enabled in your system for process and namelist security, you do not need to define any access profiles in a WebSphere Message Broker default configuration.