Authorization checks on queues

HCL OneTest™ API WebSphere® MQ exit on z/OS can perform authorization checks on the queues whose messages are being duplicated or diverted.

While Security settings for MQ exit resources on z/OS lists permissions required to access the various namelists and queues used by HCL OneTest™ API, you must also consider if you want the HCL OneTest™ API WebSphere MQ exit on z/OS to perform authorization checks on the queues whose messages are being duplicated or diverted.

If you have disabled security for your queue manager at the subsystem or queue level, the exit detects this, and skips authorization checking when duplicating or diverting messages.

If subsystem and queue level security are active, the WebSphere MQ exit on z/OS verifies that the user id associated with HCL OneTest™ API has authority to access the appropriate queues before duplicating or diverting messages.

If subsystem and queue level security are active, but you have set RESLEVEL access and the channel PUTAUT parameter so that queue access authority is not checked for the HCL OneTest™ API connection to the queue manager, you must also disable the WebSphere MQ exit on z/OS access checking by specifying the AUTHCHK(NO) parameter on the PARM statement within your HCL OneTest API Agent JCL. For more information on RESLEVEL and other related WebSphere MQ parameters, see the IBM® WebSphere MQ documentation.

The exit calls RACROUTE to verify access to queues that are being recorded or stubbed. If you use security software other than the z/OS Security Server (also known as RACF), you might need to configure your security software to process RACROUTE calls.

Beginning with release 9.5, the WebSphere MQ exit for z/OS only allows users with READ access to the queue COM.GREENHAT.ALLOW.GENERIC.QNAMES to record a transport or to perform mirror queue or dynamic mirror queue recording on operations whose Queue or Reply Queue fields contain wild card values.

Feedback