General
If RACF security is active for WebSphere MQ, these steps must be done depending on the RACF MQ classes that are active.
- If the MQCONN class is active:
The Ironstream agent user must have access to the mqssid
.BATCH profile (where mqssid
is the MQ subsystem name):
PERMIT mqssid.BATCH CLASS(MQCONN) ID(agent-user) ACCESS(READ)
- If the MQQUEUE class is active for WebSphere MQ:
The agent user must have update access to the SYSTEM.COMMAND.REPLY.MODEL queue and the command input queue, for example:
PERMIT mqssid.SYSTEM.COMMAND.REPLY.MODEL CLASS(MQQUEUE) ID(agent-user) ACCESS(UPDATE)
PERMIT mqssid.SYSTEM.COMMAND.INPUT CLASS(MQQUEUE) ID(agent-user) ACCESS(UPDATE)
A profile for the Ironstream command reply queue must be created, and the agent user given Alter access to create and delete this queue. For example:
RDEFINE mqssid.EVIEW.COMMAND.REPLY.Q UACC(NONE)
PERMIT mqssid.EVIEW.COMMAND.REPLY.Q CLASS(MQQUEUE) ID(agent-user) ACCESS(ALTER)
- If the MQCMDS class is active:
The agent user must be given access to these MQ display commands:
PERMIT mqssid.DISPLAY.SYSTEM CLASS(MQCMDS) ID(agent-user) ACCESS(READ)
PERMIT mqssid.DISPLAY.GROUP CLASS(MQCMDS) ID(agent-user) ACCESS(READ)
PERMIT mqssid.DISPLAY.QUEUE CLASS(MQCMDS) ID(agent-user) ACCESS(READ)
PERMIT mqssid.DISPLAY.QMGR CLASS(MQCMDS) ID(agent-user) ACCESS(READ)
PERMIT mqssid.DISPLAY.CHANNEL CLASS(MQCMDS) ID(agent-user) ACCESS(READ)
PERMIT mqssid.DISPLAY.CHINIT CLASS(MQCMDS) ID(agent-user) ACCESS(READ)
PERMIT mqssid.DISPLAY.GROUP CLASS(MQCMDS) ID(agent-user) ACCESS(READ)
The Ironstream discovery agent JCL must be updated to include the MQ SCSQAUTH dataset in the STEPLIB concatenation. While it is typical in some environments to create unique SCSQAUTH datasets to hold different startup parameter members (CSQZPARM), the only required dataset for the agent STEPLIB is the IBM-supplied SCSQAUTH dataset. SCSQAUTH datasets that contain only parameter members are not required in the STEPLIB.
RACF Permissions
|