Refreshing queue manager security on z/OS
IBM® MQ for z/OS® caches RACF® data to improve performance. When you change certain security classes, you must refresh this cached information. Refresh security infrequently, for performance reasons. You can also choose to refresh only SSL security information.
- The RACF SETROPTS RACLIST(classname) REFRESH command to refresh at the RACF level.
- The IBM MQ REFRESH SECURITY command to refresh the security information held by the queue manager. This command needs to be issued by each queue manager that accesses the profiles that have changed. If you have a queue-sharing group, you can use the command scope attribute to direct the command to all the queue managers in the group.
If you are using generic profiles in any of the IBM MQ classes, you must also issue normal RACF refresh commands if you change, add, or delete any generic profiles. For example, SETROPTS GENERIC(classname) REFRESH.
However, if a RACF resource profile is added, changed or deleted, and the resource to which it applies has not yet been accessed (so no information is cached), IBM MQ uses the new RACF information without a REFRESH SECURITY command being issued.
RLIST MQQUEUE (qmgr.SYSTEM.COMMAND.INPUT) GEN
and receive the results
CLASS NAME
----- ----
MQQUEUE QP*.SYSTEM.COMMAND.*.** (G)
AUDITING
--------
FAILURES(READ)
This indicates that auditing is set on. For more information,
refer to the z/OS Security Server RACF Auditor's Guide and the z/OS Security Server RACF Command Language Reference.
- REFRESH SECURITY(*)
- REFRESH SECURITY(MQADMIN)
- REFRESH SECURITY(MXADMIN)
For performance reasons, these are the only classes affected by the REFRESH SECURITY command. You do not need to use REFRESH SECURITY if you change a profile in either the MQCONN or MQCMDS classes.
For performance reasons, use REFRESH SECURITY as infrequently as possible, ideally at off-peak times. You can minimize the number of security refreshes by connecting users to RACF groups that are already in the access list for IBM MQ profiles, rather than putting individual users in the access lists. In this way, you change the user rather than the resource profile. You can also RVERIFY SECURITY the appropriate user instead of refreshing security.
RDEFINE MQQUEUE PRMQ.INSURANCE.LIFE.** UACC(NONE)
PERMIT PRMQ.INSURANCE.LIFE.** ID(LIFEGRP) ACCESS(UPDATE)
SETROPTS RACLIST(MQQUEUE) REFRESH
SETROPTS GENERIC(MQQUEUE) REFRESH
REFRESH SECURITY(MQQUEUE)