ibm websphere mq for z/os - security
Post on 22-Aug-2015
Embed Size (px)
- 1. Z5: WebSphere MQ for z/OSSecurityDamon Cross, Advisory Software Engineerdamon_cross@uk.ibm.com
- 2. 2014 2014 IBM Corporatio InB M CorporationPlease NoteIBMs statements regarding its plans, directions, and intent are subject to change or withdrawal withoutnotice at IBMs sole discretion. Information regarding potential future products is intended to outline ourgeneral product direction and it should not be relied on in making a purchasing decision.The information mentioned regarding potential future products is not a commitment, promise, or legalobligation to deliver any material, code or functionality. Information about potential future products maynot be incorporated into any contract. The development, release, and timing of any future features orfunctionality described for our products remains at our sole discretionPerformance is based on measurements and projections using standard IBM benchmarks in a controlledenvironment. The actual throughput or performance that any user will experience will vary dependingupon many factors, including considerations such as the amount of multiprogramming in the users jobstream, the I/O configuration, the storage configuration, and the workload processed. Therefore, noassurance can be given that an individual user will achieve results similar to those stated here.
- 3. AbstractT his session will look at how security facilities areprovided on WebSphere MQ for z/OS, including a lookat what security is available, how it is activated/deactivated, what types of resources can be protectedand an insight as to how WebSphere MQ for z/OSdetermines which userids it uses for the checks itperforms.
- 4. Security OverviewControlling Security for WebSphere MQ for z/OSAccess ControlAdministrationSummaryAgenda
- 5. Security OverviewControlling Security for WebSphere MQ for z/OSAccess ControlAdministrationSummaryAgenda
- 6. Security OverviewWhat are we trying to achieve?Identification:- Being able to Identify uniquely a user of a system or anapplication that is running in the system.Authentication:- Being able to prove that a user or application isgenuinely who that person or what that application claims to be.Access Control:- Protects critical resources in a system by limitingaccess only to authorised users and their applications. It preventsunauthorised use of a resource or the use of a resource in anunauthorised manner.Auditing:- Tracking who has done what to what and when
- 7. Security OverviewConfidentiality:- Protects sensitive information from unauthoriseddisclosure.Data Integrity:- Detects whether there has been unauthorisedmodification of data. There are two ways in which this canoccur,accidentally, through hardware or transmission errors, or bydeliberate attack.'Non-Repudiation':- The goal is usually to prove that a particularmessage is associated with a particular individual.
- 8. WebSphere MQ for z/OS (non Queue Sharinggroups)z/OS z/OSIMS CICS IMS CICSBatchAPPLBatchAPPLIMSAPPLCICSAPPLCICSAPPLIMSAPPLQueueManager AQueueManager BMOVERMOVERA1 A2B2B1links to other MQ systems
- 9. WebSphere MQ for z/OS Queue Sharing GroupsQSG IMSmovermovermoverSQM1SQM2SQM3localpagesetslocalpagesetslocallogslocallogslocallogslocalpagesetsCICSBATCHmoverLQM1locallogsz/OSlocalpagesetsDB2MQCFSQ1MQ
- 10. Security Overview SAF to provide choice of External Security Manager- RACF, ACF2, Top Secret, ...- WebSphere MQ has a set of classes to hold profiles- Profiles provide access control capabilities Features depend upon profiles used- z/OS control is more granular than other systems Activate classes, and allow generic profilesWebSphere MQWebSphereMQPROFILESWebSphereMQPROFILESExternal Security ManagerSAF- SETROPTS CLASSACT(...)- SETROPTS GENERIC(...)
- 11. Security Overview - continued...WebSphere MQ Uppercase RACF ClassesMQADMIN - Switch profiles, Command resource, Context andAlternate User profilesMQCONN - Connection profilesMQCMDS - Command profilesMQQUEUE - Queue profilesMQPROC - Process profilesMQNLIST - Namelist profiles
- 12. Security Overview - continued...WebSphere MQ mixed case RACF ClassesMXADMIN - Switch profiles, Command resource,Context and Alternate User profilesMXQUEUE - Queue profilesMXPROC - Process profilesMXNLIST - Namelist profilesMXTOPIC - Topic profilesNote: There are no MX... versions of the MQCONN andMQCMDS classes
- 13. Security OverviewControlling Security for WebSphere MQ for z/OSAccess ControlAdministrationSummaryAgenda
- 14. Controlling Security RACF Classes High Level Qualifiers Shared Queue Manager Environment Security Switches- Switch profiles- Options available under Queue Sharing Groups Queue Sharing Group rules
- 15. Controlling Security - RACF ClassesWhat determines which classes are used? Queue manager attributeSCYCASEThis can be set to eitherUPPER - the default on migration and on a new Qmgr, thisuses the MQ...versions of the classes (plus MXTOPIC)MIXED - this uses the MX...versions of the classesMQ... and MX... classes are mutually exclusive except forMXTOPIC can be used whether SCYCASE(UPPER) orSCYCASE(MIXED) is specified as there is no MQ...version !
- 16. Controlling Security - RACF ClassesWhat can be mixed case in an MX... class ? the 'resourcename' part of a profile in one of the followingclassesMXADMINhlq.CONTEXT.resourcenamehlq.QUEUE.resourcenameMXPROC, MXNLIST and MXQUEUEhlq.resourcenameMXTOPIChlq.SUBSCRIBE.resourcenamehlq.PUBLISH.resourcename
- 17. Controlling Security - RACF ClassesHow do you change the classes you are using? the Queue manager attributeSCYCASEThis can be set to eitherUPPER - the default on migration and on a new Qmgr, thisuses the MQ...versions of the classes (plus MXTOPIC)MIXED - this uses the MX...versions of the classes issue a REFRESH SECURITY command ( more later )BUT first :-Ensure you have all the RACF profiles defined that you need inthe appropriate classes
- 18. Controlling Security - High Level QualifiersQueue Manager qualified profilesQueue Manager profiles use the queue manager name as the highlevel qualifier for example:- qmgr.profile.name and their scope islimited to the named Qmgr.Queue Sharing Group qualified profilesQueue sharing group profiles will use the queue sharing group id astheir high level qualifier instead of a queue manager name forexample: - qsg.profile.name and their scope is the named QueueSharing Group.
- 19. Controlling Security - Shared Queue Manager Environment DB2 Setting up Resources in DB2 Connection to DB2 Access to DB2 resources Coupling Facility Setting up the Coupling Facility Access to the Coupling Facility Queue Sharing Groups (QSG) Setting up QSG's Joining a QSG
- 20. Controlling Security - Switch ProfilesGranular control of securitycheckingSubsystem securityhlq.NO.SUBSYS.SECURITYQmgr or QSG Securityhlq.NO.QMGR.CHECKShlq.NO.QSG.CHECKSIn QSG also have 'YES' switchprofilesssid.YES.typeThese profiles are only used if youhave chosen to have both Qmgr andQSG checking active and need tooverride a Qsg level profile on agiven Qmgr.The hlq on these profiles is always'ssid' - in other words the qmgr ID** You cannot set both QMGR & QSG to OFF together - if you try this you will getboth Qmgr and Qsg security activated **
- 21. Controlling Security - Switch ProfilesConnection Securityhlq.NO.CONNECT.CHECKSMQ Command Securityhlq.NO.CMD.CHECKShlq.NO.CMD.RESC.CHECKSMQ API Securityhlq.NO.QUEUE.CHECKShlq.NO.PROCESS.CHECKShlq.NO.NLIST.CHECKShlq.NO.CONTEXT.CHECKShlq.NO.ALTERNATE.USER.CHECKShlq.NO.TOPIC.CHECKSAll defined in the MQADMIN class or MXADMIN classAll switch profiles are uppercase regardless of class
- 22. Controlling Security - Security Switch optionsQMGRLocalQMGR?SharedQMGR?QmgronlyQMGRonly?QSGonly?QMGR& QSG? Not QSG ssid only Queue Sharing Group Up to three profiles looked for when checking for:Subsystem securityQueue Manager securityQSG security
- 23. Controlling Security - Security Switch optionsQmgrlocal sharedqmgr qmgrssid.NO.SUBSYS.SECURITYqsg.NO.SUBSYS.SECURITYssid.YES.SUBSYS.SECURITYnot foundnot foundfoundfoundset Subsys securityOFF on this qmgrfound not foundssid.NO.SUBSYS.SECURITYfound not foundSet Subsyssecurity OFFon this qmgrset Subsyssecurity ONon this qmgrset Subsyssecurity OFFon this qmgrset subsyssecurity ONon this qmgrset Subsys securityONon this qmgr123
- 24. Controlling Security - Security Switch optionsShared Queue Environmentsubsysssid.NO.QMGR.CHECKSqsg.NO.QMGR.CHECKSset QMGRsecurity OFFon this qmgrssid.YES.QMGR.CHECKSnot foundnot foundfoundfoundfound not foundset QMGRsecurity OFFon this qmgrset QMGRsecurity ONon this qmgrset QMGRsecurity ONon this qmgrON 456
- 25. Controlling Security - Switch OptionsShared Queue Environmentsubsysssid.NO.QSG.CHECKSqsg.NO.QSG.CHECKSset QSG securityOFF on this qmgrssid.YES.QSG.CHECKSnot foundnot foundfoundfoundfound not foundset QSG securityOFF on this qmgrset QSG securityON on this qmgrset QSG securityON on this qmgrON 789
- 26. Controlling Security - Queue Sharing GroupsRules default is check ssid profiles before qsg profiles ssid.YES switch profiles override qsg.NO switch profiles QMGR checks switch ON / QSG checks switch OFF means ONLY profiles with ahlq of ssid will be used QSG checks switch ON / QMGR checks switch OFF means ONLY profiles with hlqof qsg will be used You cannot set security OFF by setting both QMGR & QSG checking OFF together -it will default both ON Once the QMGR and QSG switches have been determined then the remainingswitch profiles are checked following the QMGR/QSG rules Once the Shared Queue Manager is up and running all security checks aregoverned by the setting of the individual switch for that type of security and theQMGR/QSG switch state If both QMGR and QSG switches are ON then a hlq of ssid will be used first and ifnot found then a hlq a qsg will be used