MQ

 View Only

IBM MQ Little Gem #12: CHCKLOCL(REQUIRED) on z/OS

By Morag Hughson posted Mon May 16, 2016 05:06 PM

  
This is part of a series of small blog posts which will cover some of the smaller, perhaps less likely to be noticed, features of IBM MQ. Read other posts in this series.

UserID and Password CheckingIBM MQ V8 introduced the concept of user id and password checking with the Connection Authentication feature. In this blog post I am going to specifically look at the CHCKLOCL attribute and how you can make use of it on z/OS with the REQUIRED setting.

On z/OS, CHCKLOCL (and CHCKCLNT) can have three values, NONE, OPTIONAL and REQUIRED. When it is set to OPTIONAL, if an application provides a user id and password in the MQCSP structure when it connects to the queue manager then this user id and password must be correct, however it is not necessary for ALL applications to supply a user id and password.

When it is set to REQUIRED however, all applications using the Batch adapter must supply a user id and password. CICS and IMS applications were excluded from being covered by Connection Authentication because those environments already have user id authentication features and didn't need another one.

I expect most z/OS queue managers have left their CHCKLOCL setting at OPTIONAL because most applications are running with the user id that they want to be identified to the queue manager with already, and that user id was authenticated when it logged onto TSO. However there are some cases where you might want to use the Connection Authentication feature for local applications on z/OS. One that comes to mind is the use of the WebSphere Application Server (WAS) running natively on z/OS - and thus the JMS applications running within in it are making local connections to the queue manager. In this case, having a JMS application provide a user id and password when it connects and authenticating that by the queue manager and then using that user id rather than the WAS region user id for authorization would be very useful.

The question is, how do you make sure ALL of these JMS applications send a user id and password? Well the answer to that is to set CHCKLOCL(REQUIRED).

Then the question becomes, how do you make sure ALL of these JMS applications send a user id and password WITHOUT affecting all my other locally bound MQ applications that don't want to send a user id and password?

Well that's what this post is about.

First a little background. If you have connection security switched on (issue a DISPLAY SECURITY command to see) then local batch applications that want to connect to the queue manager first go through a check in the External Security Manager, e.g. RACF, ACF2, or TopSecret, to see if they have at least READ access to the qmgr.BATCH profile in the MQCONN class.

CSQH030I MQG1 Security switches ... 
CSQH034I MQG1 SUBSYSTEM: ON, 'MQG1.NO.SUBSYS.SECURITY' not found CSQH034I MQG1 CONNECTION: ON, 'MQG1.NO.CONNECT.CHECKS' not found CSQH034I MQG1 COMMAND: ON, 'MQG1.NO.COMMAND.CHECKS' not found CSQH031I MQG1 CONTEXT: OFF, 'MQG1.NO.CONTEXT.CHECKS' found

Well, if such an application has UPDATE access to the qmgr.BATCH profile then it is deemed to not require a password even if CHCKLOCL(REQUIRED) is set.

So, to answer the question above, to make sure all your local applications which aren't running inside WAS don't need to supply a password, make sure you have connection security turned on and grant those user ids not just READ access to the qmgr.BATCH profile but UPDATE access. Then once that is done, you can change over with these commands:

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKLOCL(REQUIRED)
REFRESH SECURITY TYPE(CONNAUTH)

and then your WAS region user id, which hasn't been granted the higher access to the qmgr.BATCH profile, will have the CHCKLOCL(REQUIRED) applied to its connections and will mandate them to have to provide user ids and passwords.

Read about this in Knowledge Center at Connection security profiles for batch connections > Using CHCKLOCL on locally bound applications.


Morag Hughson is an MQ expert. She spent 18 years in the MQ Devt organisation before taking on her current job writing MQ Technical education courses with MQGem. She also blogs for MQGem. You can connect with her here on IMWUC or on Twitter and LinkedIn.

#Little-Gem
#IBMMQ
#ChampionsCorner
0 comments
15 views

Permalink