Security for IBM MQ in Multi-platform Environments

This course describes and explains what is required to ensure WebSphere MQ security in a multi-platform environment. It will also teach the techniques used to implement that security. The course is taught combining formal classroom tuition with challenging practical exercises.


On successful completion of this course you will be able to:

  • define and explain concepts such as data integrity, authentication, encryption, decryption and non-repudiation.
  • explain the Secure Socket Layer
  • implement SSL in IBM MQ
  • describe the main issues relating toIBM MQ client security
  • create specific & generic profiles
  • Secure objects using the Object Authority Manager
  • describe context security
  • carry out error diagnosis
  • describe the use of IBM MQ with RACF in a z/OS environment.

Who Should Attend

The course is suitable for both Systems Architects and WebSphere MQ Administrators.


Experience as an MQ Administrator is essential, as is a sound understanding of the relevant execution platforms. Additionally, for attendees coming from a z/OS environment, an understanding of RACF is desireable.


2 days

Fee (per attendee)


Course Code




Websphere MQ Components; MQ Explorer; Security Issues; Access Control; Data Security; Channel Security; Audit.

Logon Security

Logon Process; Security Identifiers; Access Token; Network authentication; i/Series; AIX; System z; Firewalls.

WebSphere MQ Administration

Local and Remote Administration ; Authority to administer Websphere MQ; Principal introduction; Security Identifiers; Principal permissions; Establishing the principal.


Group definition; MQ administration under Windows; Managing the MQM Group.


Specific Profiles; Generic Profiles; Wildcards Used In Generic Profiles.

Authorisation Service

Using MQ Explorer; Granting authority at the Queue Manager level; Manage the Create authority; Manage the Create authority user; Manage the Create authority Group; Find authorities accumulated; Granting authority on a specific object.

The Object Authority Manager

Authorization Service Interface; Access Control List; Viewing the Authorities ; Principal; Permissions; Establishing the Principal; Groups; Windows Security Identifiers (SIDS); Alternate User ID; When security checks are made; MCAUSER; Commands; Giving Privileges; Authorization Account; Authorization Principal; Authorization Group; Entities; Command Syntax; DSPMQAUT; DMPMQAUT; SETMQAUT; Overlapping Profiles; Debugging Authorization Problems; Using Websphere MQ Explorer as a read only viewer. .

The Stages of PFC

System.Admin.Command.Queue ; System.Default.Modelqueue.

System z

Types of MQ resources; How is security achieved?; Who can administer security?; How is it granted?; General Resource Profile; REDEFINE; Creating a General Resource Profile; RALTER changing a Profile; RDELETE deleting a Profile; Search listing Profiles in a Class; Websphere MQ resources and the RACF classes that protect them; ALTER changing a Profile; SYSCASE; Giving permission to a Profile; Comparison SETMQAUT and RACF Classes; Controlling connections to the Queue Manager; Channel Security; Functional differences between OAM and RACF.


Context Authority

Message Context; Identity Context; Fields; User Identifier; Accounting Token; Application Identity Data; Origin Context; Origin Context Fields; Context Programming; Passing Identity Context.

Message Channel Exits

Channel Initiator; Defining channels' parameters; Channel Security; PUTAUT Parameter; PUTAUT=CTX; PUTAUT=CTX Example; MCAUSER; Message Channel Agents User Exits; Types of User Exits; MQEXPLORER User Exits; Security Exits overview; MQ Channel Definition.

Secure Socket Layer

SSL types of security breaches; Overcoming security breaches; SSL Handshake; Key Repository; Obtaining a Certificate; Setting up Channels for SSL; Distinguished names.


Security between Websphere MQ Queue Managers; The case for using MQ Clusters; Securing MQ Clusters; Repository; SSLPEER.

Good Security Practices

Naming conventions; Assign rights; OAM; Delete default items; Protect Command Server Queues; Do not place everyone into the MQM Group; Change the CMDUSER on z/OS; Alias the DLQ; Altuser ID; Blank User Ids; Environment variables; Generic Profiles; ISPF panel access; LU6.2; Flowed User ID; Use aliases; Chinit User Ids.

Role-Based Authorities

Message Broker Security

Authorization for configuration tasks; MBRKRS; Granting permissions; SVRCONN; User Exits; Tunneling; HTTP tunneling; Connect via proxy; SSl authentication.

© RSM Technology 2019