Having struggled to get MQ Context working on mid range MQ, I thought I would try the same on z/OS.
If you want to allow applications to set Putdate, Putime, PutApplName etc. The application needs access to MQ Context. MQ MCA channels use this when putting a message from a remote queue manager, to keep the original values.
Which profiles are used?
You can disable context checking by defining a profile ‘qmgr.NO.CONTEXT.CHECKS’. If you want to enable context checking remove this profile if it exists.
You can display it using
RLIST MQADMIN CSQ9.NO.CONTEXT.CHECKS
You configure queue context using the profile qmrg.context.queue
RLIST MQADMIN CSQ9.CONTEXT.CP0000 all CLASS NAME ----- ---- MQADMIN CSQ9.CONTEXT.** (G) ... LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING ----- -------- ---------------- ----------- ------- 00 IBMUSER NONE ALTER NO ... USER ACCESS ---- ------ IBMUSER ALTER
This says that for the queue CP0000, display the profile CSQ9.CONTEXT.CP0000. It returned
- MQADMIN CSQ9.CONTEXT.** this is the profile used
- IBMUSER ALTER the only user authorised to this resource – with ALTER access it IBMUSER
- The default access is NONE.
When a userid tried to open the queue – with set context options, the open got return code 2035 and a message on the console.
ICH408I USER(COLIN ) GROUP(SYS1 ) NAME(COLIN PAICE )
CSQ9.CONTEXT.CP0000 CL(MQADMIN )
INSUFFICIENT ACCESS AUTHORITY
FROM CSQ9.CONTEXT.** (G)
ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE )
This shows the resource used CSQ9.CONTEXT.CP0000. The RACF profile used was CSQ9.CONTEXT.**. The userid had NONE access, and wanted CONTROL access.
You could define a more specific profile for example CSQ9.CONTEXT.CP*, and that would be used in preference to the CSQ9.CONTEXT.** profile.
The z/OS documentation Determining RACF protection says
Although multiple generic profiles can match a general resource name, only the most specific profile
actually protects it. For example, AB.CD, AB.CD.* and AB.**.CD all match the general resource name AB.CD, but AB.CD.* protects the resource.
With Midrange MQ on Unix, the permission is taken from all of the groups the userid is in- if one of the userid’s groups has get authority, the userid has get authority. With z/OS just one profile is used.
Changing a profile – don’t forget to refresh.
When changing a profile you need to remember to refresh the RACF in memory profiles, and tell MQ to pick up the changes.
I changed a profile
ralter MQADMIN CSQ9.CONTEXT.** UACC(CONTROL)
Refreshed the RACF in-memory profiles
setropts racflist(MQADMIN) refresh
And told MQ to refresh its profiles
%csq9 refresh security