CA-ACF2 Setup for MQSeries External Security

Document ID : KB000028132
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

The following is the information necessary to setup and use external security for MQSeries (MQM) in an CA-ACF2 environment. By default, CA-ACF2 does not secure MQM. You can choose to secure MQM using the CA SAF interface.

 

Instructions:

To enable complete security, insert the following GSO SAFDEF record:

SET C(GSO)
INSERT SAFDEF.mqm ID(mqm) FUNCRET(8) RETCODE(4) MODE(IGNORE) -
RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP

Using this approach enables all aspects of MQM's external security. If you wish a more selective approach, you can use switch profiles to enable the specific areas of MQM that you determine need security controls. The following is a list of the switch profiles. (Consult the MQM documentation for an explanation of switch profiles and a complete list of them.)

MQ_mgr_name.NO.ALTERNATE.USER.CHECKS
MQ_mgr-name.NO.CMD.CHECKS
MQ_mgr_name.NO.CONNECT.CHECKS
MQ_mgr_name.NO.CONTEXT.CHECKS
MQ_mgr_name.NO.CMD.RESC.CHECKS
MQ_mgr_name.NO.NLIST.CHECKS
MQ_mgr_name.NO.PROCESS.CHECKS
MQ_mgr_name.NO.QUEUE.CHECKS
MQ_mgr_name.NO.SUBSYS.SECURITY

The MQ_mgr_name represents the MQM subsystem name. Change this to the to the name assigned to MQSeries queue manager at your location. For example, inserting the following SAFDEF records enables only connect security:

SET C(GSO)
INSERT SAFDEF.mqml ID(mqm1) FUNCRET(8) RETCODE(4) MODE(IGNORE) REP RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,ENTITYX=mqmn.NO.SUBSYS.SECURITY)

INSERT SAFDEF.mqm2 ID(mqm2) FUNCRET(8) RETCODE(4) MODE(IGNORE) REP RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN,ENTITYX=mqmn.NO.CONNECT.CHECKS)

These SAFDEF records return a NOT FOUND condition to MQM. The negative logic is that if NO.SUBSYS.SECURITY is not found, subsys security is active; if NO.CONNECT.CHECKS is not found, connection security is active. Insert similar SAFDEF records for each switch profile that you want enabled. Always insert the SAFDEF for NO.SUBSYS.SECURITY when using switch profiles. To disable security, delete the SAFDEF records you inserted and then issue the CA-ACF2 REFRESH command for the SAFDEF records.

Administering CA-ACF2 Security Records for MQM

Once you create the necessary SAFDEF records to enable security for MQM, follow these steps to ensure that eTrust CA-ACF2 performs the appropriate validation:

  1. Insert the following GSO CLASMAP records choosing a three-character resource type code for each MQM resource class.

    SET C(GSO)
    INSERT CLASMAP.mqadmin RESOURCE(MQADMIN) RSRCTYPE(mqa) ENTITYLN(62)
    INSERT CLASMAP.mqconn RESOURCE(MQCONN) RSRCTYPE(mqk) ENTITYLN(10)
    INSERT CLASMAP.mqcmds RESOURCE(MQCMDS) RSRCTYPE(mqc) ENTITYLN(22)
    INSERT CLASMAP.mqqueue RESOURCE(MQQUEUE) RSRCTYPE(mqq) ENTITYLN(53)
    INSERT CLASMAP.mqproc RESOURCE(MQPROC) RSRCTYPE(mqp) ENTITYLN(53)
    INSERT CLASMAP.mqnlist RESOURCE(MQNLIST) RSRCTYPE(mqn) ENTITYLN(53)

  2. Add the resource type codes to the INFODIR record.

    SET C(GSO)
    CHANGE INFODIR TYPES(r-rmqa, r-rmqk, r-rmqc, r-rmqq, r-rmqp, r-rmqn) add

    After adding or changing rules the resident directories should be rebuilt for the appropriate resource type code. For example:

    F ACF2,REBUILD(mqa)

  3. Write resource rules. The following example shows how to write a rule to secure the MQADMIN resource class:

    SET R(mqa)
    COMPILE * STORE
    $KEY(mqmn) TYPE(mqa)
    context UID(user1) ALLOW
    reslevel UID(*) SERVICE(update) ALLOW
    alternate.user.- UID(user2) ALLOW

    The following example shows how to write a rule to secure the MQCONN connection resource class:

    SET R(mqk)
    COMPILE * STORE
    $KEY(mqmn) TYPE(mqk)
    batch UID(user1) ALLOW
    cics UID(user2) ALLOW

  4. Define a logonid for each MQM address space using the following as an example:

    SET LID
    INSERT mqmnmstr MUSASS NON-CNCL STC

    MQM processing can use a default logonid. CA-ACF2 validates these requests using the batch default logonid. If that is not appropriate, use the MUSDLID logonid field to assign a specific default logonid to use for each MQM region as follows

    SET LID
    CHANGE mqmnmstr MUSDLID(mqmdflt)
    INSERT mqmdflt RESTRICT NAME(mqm default lid)

CA-ACF2 security for MQM deviates from the MQM documentation in these respects:

  1. You can mask the subsystem value for your MQM queue manager in CA-ACF2 resource rules.

  2. GSO SAFDEF records support switch profiles as explained above.

  3. You cannot use XREF resource grouping for the MQQUEUE resource class or any other validation invoked through a RACROUTE FASTAUTH request.

  4. Audit records are reported on the ACFRPTRV report as trace records.

  5. RESLEVEL access checking requires SAF access levels. The corrspondence between SAF access levels and CA-ACF2 SERVICE levels are as follows:

    SAF ACCESS CA-ACF2 SERVICE LEVEL
    READ READ
    UPDATE UPDATE
    CONTROL DELETE
    ALTER ADD

    The RESLEVEL resource specifies the level of MQM security in effect for a job. The level of access granted to the MQADMIN resource named mqmn.RESLEVEL is used to determine the level of MQM security for that user or CICS region. Giving READ or no-access to the mqmn.RESLEVEL resource means the user or CICS region follows full, normal MQM security checking. Giving a logonid ALTER authority to this resource, exempts the user or CICS region for all further MQM security checking. This can result in a problem for CICS regions in which the region logonid has NON-CNCL specified. NON-CNCL always indicates ALTER authority to the RESLEVEL check. MQM processing then bypasses security checking for that region. To avoid this, insert a SAFDEF record that overrides the validation return codes for the RESLEVEL check. A sample SAFDEF record follows:

    SAFDEF.mqmres1 ID(mqmres1) MODE(IGNORE) JOB(cicsjob) RETCODE(0) FUNCRET(20) FUNCRSN(n) RACROUTE(REQUEST=AUTH,CLASS=MQADMIN,ENTITYX=mqmn.RESLEVEL) REP

    Where n represents the level of access desired. Valid values are:
    0 No access
    4 READ access
    8 UPDATE access
    12 CONTROL access
    16 ALTER access
    cicsjob represents the job or jobs for which this access is desired. Omit this parameter if all jobs require the same access level.

  6. IMS OTMA, Open Transaction Manager Access, is a transaction-based connectionless client/server protocol. MQSeries can be an OTMA client that sends transactions to an IMS server. MQSeries issues the following RACROUTE call to see if a security token should be passed to the server:

    RACROUTE REQUEST=AUTH,CLASS='FACILITY',RELEASE=1.9,STATUS=WRITEONLY,
    ATTR=READ,DSTYPE=N,ENTITYX=('IMSXCF.xcfgname.xcfmname',NONE),
    FILESEQ=0,GENERIC=ASIS,LOG=ASIS,MSGSP=0,TAPELBL=STD,WORKA=

    Where xcfgname is the XCF group name and xcfmname is the XCF member name of MQSeries.

    A user token is propagated only if return/reason code 0/20:8 is returned on the RACROUTE call. The client can write a FACILITY resource rule with SERVICE(UPDATE) to give the desired reason code. Since most sites have the MQM master address space logonid defined as NON-CNCL, they will see a 0/20:16 in a SECTRACE. For this reason code, insert the following SAFDEF to get the desired SAF/RFR, adjusting the USERID below to your MQ master address space logonid:

    SAFDEF.OTMA1 ID(OTMA1) RETCODE(0) FUNCRET(20) FUNCRSN(8) -
    RACROUTE(REQUEST=AUTH,CLASS=FACILITY,ENTITYX=IMSXCF.-) -
    USERID(mqmnmstr) MODE(IGNORE) REP