MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  The MQ AMS started task userid on z/OS

    Posted Wed July 26, 2023 02:16 AM

    Hi All, 

    We have MQ AMS Interception implemented on queues in our MQ for z/OS v9.3.

    It is working a treat - I just want to understand as much as i can about how it works. I found an awesome paper by T-Rob which has helped me immensely, to the point where i just have one question left... (for now.... :>)  )

    It is a requirement that the AMS started task userid has profiles defined in to our RACF SURROGAT class - the manual states this:

    "The Advanced Message Security task temporarily assumes the identity of the host user ID of the requestor during protection processing of IBM® MQ messages."

    I am just wondering exactly what the processing is that is done whilst the identity of the AMS user is assumed...?

    Thanks,

    Rebecca.   



    ------------------------------
    Rebecca Mayer
    ------------------------------


  • 2.  RE: The MQ AMS started task userid on z/OS

    Posted Thu July 27, 2023 03:40 AM
    Hi Rebecca,

    My knowledge is a bit rusty, but this may give you a clue.

    For AMS to encrypt for you it needs access to your private key.  It can get access several ways
    - explicitly give the AMS userid permission to use it.     Consider if someone joins your department, then you need to give the AMS userid access to the joinee.    This is a lot of admin for 10,000 joinees.
    - AMS can "become" your userid via a surrogate.  In order to do this it needs the SURROGATE permission.   This is a simple Admin command.

    Colin




    Original Message


Related Content