Considerations for IBM MQ on z/OS
Security on z/OS
APF-authorization
MainView Middleware Monitor(TMTM) includes features which require APF authorization. These include discovering queue managers available on the system, activating SMF monitoring by TMTM Monitoring Extension for IBM MQ, and performing MQ actions via the TMTM Conifguration Extension for IBM MQ. MQ actions may be performed using the Perl automation scripts or when using the mqtool CLI.
TMTM does not function correctly without proper APF authorization, therefore the load library must be APF-authorized.
TMTM determines if the load library is APF-authorized. If it is not, TMTM returns an information message that the TMTM Extensible Agent or TMTM Monitoring Extension for IBM MQ is not authorized.
External security
This section applies to installations with an external security manager (for example, RACF or ACF2) that have the security class active for IBM MQ. This section discusses security in RACF terms, so some of the details might be different for other security managers.
The agent and extensions run as started tasks or as z/OS batch applications. They connect to IBM MQ objects and issue IBM MQ commands. As such, the agent and extensions require certain authorization in the security manager.
When implementing security, it is important to remember that a set of profiles is required for each queue manager to which TMTM and the TMTM Monitoring Extension for IBM MQ connects. Also, it is possible to implement a different security strategy for each queue manager. In the following explanation, ssid should be replaced with the subsystem names of your queue managers.
If you are not using one of the preferred profiles listed below, any change to the agent environment, such as adding a new queue to be monitored, might require a change to the security profiles.
If a more granular level of security checking is required, the agent and extension must be given access to several profiles. The exact setup depends upon the level of security checking in place. For more details on IBM MQ security, refer to IBM MQ for MVS/ESA System Management documentation.
- Connection security
- API security profiles
- Command resource security profiles
- Command security profiles
- Queue security profiles
Connection security
This profile is required if connection security is active.
Connection Security Profiles - RACF Class: MQADMIN
Preferred profile | Alternative profile | Access required |
|---|---|---|
ssid.BATCH |
| READ |
API security profiles
This profile must be defined if context security is active. It is required so that the command server can open the reply to queues on behalf of the TMTM Extensible Agent and extension.
API Security Profiles - RACF Class: MQADMIN
Preferred profile | Alternative profile | Access required |
|---|---|---|
ssid.CONTEXT |
| CONTROL |
Command resource security profiles
These profiles are required if command resource security is active. If the preferred profiles are used then it is also recommended that an UACC of NONE is specified on these profiles.
Command Resource Security Profiles - RACF Class: MQADMIN
Preferred profile | Alternative profile | Access required |
|---|---|---|
ssid.CHANNEL.** | ssid.CHANNEL.xxxx.** | ALTER |
ssid.PROCESS.** | ssid.PROCESS.xxxx.** | ALTER |
ssid.QUEUE.** | ssid.QUEUE.xxxx.** | ALTER |
Command security profiles
These profiles are required if command resource is active. If the preferred profiles are used then it is also recommended that an UACC of NONE is specified on these profiles.
Command security profiles - RACF Class: MQCMDS
Preferred profile | Alternative profile | Access required |
|---|---|---|
ssid.ALTER.** | ssid.ALTER.CHANNEL.xxxx.** | ALTER |
| ssid.ALTER.PROCESS.xxxx.** | ALTER |
| ssid.ALTER.QALIAS.xxxx.** | ALTER |
| ssid.ALTER.QLOCAL.xxxx.** | ALTER |
| ssid.ALTER.QMGR | ALTER |
| ssid.ALTER.QMODEL.xxxx.** | ALTER |
| ssid.ALTER.QREMOTE.xxxx.** | ALTER |
ssid.DEFINE.** | ssid.DEFINE.CHANNEL.xxxx.** | ALTER |
| ssid.DEFINE.PROCESS.xxxx.** | ALTER |
| ssid.DEFINE.QALIAS.xxxx.** | ALTER |
| ssid.DEFINE.QLOCAL.xxxx.** | ALTER |
| ssid.DEFINE.QMODEL.xxxx.** | ALTER |
| ssid.DEFINE.QREMOTE.xxxx.** | ALTER |
ssid.DISPLAY.** | ssid.DISPLAY.CHANNEL.xxxx.** | READ |
| ssid.DISPLAY.CHSTATUS.xxxx.** | READ |
| ssid.DISPLAY.PROCESS.xxxx.** | READ |
| ssid.DISPLAY.QALIAS.xxxx.** | READ |
| ssid.DISPLAY.QLOCAL.xxxx.** | READ |
| ssid.DISPLAY.QMODEL.xxxx.** | READ |
| ssid.DISPLAY.QREMOTE.xxxx.** | READ |
ssid.DELETE.** | ssid.DELETE.CHANNEL.xxxx.** | ALTER |
| ssid.DELETE.PROCESS.xxxx.** | ALTER |
| ssid.DELETE.QALIAS.xxxx.** | ALTER |
| ssid.DELETE.QLOCAL.xxxx.** | ALTER |
| ssid.DELETE.QMODEL.xxxx.** | ALTER |
| ssid.DELETE.QREMOTE.xxxx.** | ALTER |
ssid.PING.** | ssid.PING.CHANNEL | CONTROL |
ssid.RESET.** | ssid.RESET.CHANNEL | CONTROL |
ssid.RESOLVE.** | ssid.RESOLVE.CHANNEL | CONTROL |
| ssid.RESOLVE.INDOUBT | CONTROL |
ssid.START.** | ssid.START.CHANNEL | CONTROL |
ssid.STOP.** | ssid.STOP.CHANNEL | CONTROL |
| ssid.STOP.CHINIT | CONTROL |
Queue security profiles
These profiles are required if command resource is active. The queues beginning with ssid.QPASA are dynamic queues created by the TMTM Extensible Agent and extension. If the preferred profiles are used then it is also recommended that an UACC of NONE is specified on these profiles.
Queue Security Profiles- RACF Class: MQQUEUE
Preferred profile | Alternative profile | Access required |
|---|---|---|
ssid.** | ssid.SYSTEM.COMMAND.INPUT | UPDATE |
| ssid.COMMAND.REPLY.MODEL | UPDATE |
| ssid.QPASA.** | UPDATE |
| ssid.xxxx.** | UPDATE |
Page sets
Page sets are formatted data sets that store messages and object definitions for a queue manager. Each page set is identified by an identifier (PSID), ranging from 00 through 99. (Page set 00 is an object definition repository and reserved by IBM and should not be used.) A queue manager can have up to 100 page sets.
Queues are mapped to storage classes. Storage classes map queues to page sets. A buffer pool is associated with a page set. For complete information about z/OS page sets and IBM MQ, see the IBM MQ for z/OS System Management Guide.
Before being stored in page sets, messages are stored temporarily in buffers. Buffers are organized into buffer pools. For more information about buffer pools and buffer manager statistics, see your z/OS documentation. For more information, see Buffer manager statistics below.
z/OS systems programmers or IBM MQ administrators can use the page set statistics to group queues with similar characteristics together, which can significantly enhance performance.
Page sets are monitored when either a queue or channel is selected for monitoring by MainView Middleware Monitor. Page set statistics are displayed in the MainView Middleware MonitorManagement Console. It is not possible to disable page set monitoring or to configure which page sets are monitored. (All page sets associated with a queue manager are monitored.)
MainView Middleware Monitorgathers the following information at every sample interval (the default is every 60 seconds):
- Page Sets
- Total data pages (obtained from IBM MQ)
- Unused Pages (obtained from IBM MQ)
- Number of pages holding persistent data (obtained from IBM MQ)
- Number of pages holding non persistent data (obtained from IBM MQ)
- Extents at restart (obtained from IBM MQ)
- Percentage of total pages in use (calculated by MainView Middleware Monitor)
- Percentage of pages holding persistent data (calculated by MainView Middleware Monitor)
- Percentage of pages holding non persistent data (calculated by MainView Middleware Monitor)
- Buffer Pool (obtained from the system)
- Queue manager name (obtained from IBM MQ)
- Queues (in addition to other IBM MQ monitoring
- Storage Class (obtained from IBM MQ)
- Page set ID (obtained from IBM MQ)
- Buffer Pool (obtained from the system)
Changing the storage class for a queue
Knowing how queues are handling the message load and how page sets are affected allows you to change the storage class for a queue. By changing the storage class the z/OS system functions more efficiently. See your IBM MQ documentation for details about tuning your IBM MQ environment on z/OS.
Before you begin
Before you can change the storage class for a queue the queue must be empty and closed.
To change the storage class for a queue
- In the MainView Middleware Monitorexplorer pane, expand the node until the queue appears that you want to view or change.
- Right-click the queue and select Properties.
- Select new storage class from the attribute list and click Change queue.
To view page set information
In the MainView Middleware MonitorManagement Console explorer pane, expand the node to Page Sets under the queue manager.
The view lists all of the pertinent page set statistics and, in the explorer pane, the page set attributes. You can collect history on these attributes and create reports or charts. For more information, see Recommendations for collecting history for page sets.
Recommendations for collecting history for page sets
BMC recommends using the settings shown in the table below for collecting history on page sets.
Attribute | Last | Count | Average | Min | Max | Total |
|---|---|---|---|---|---|---|
BufferPool |
|
|
|
|
| X |
ExtentsSinceRestart |
|
|
|
|
| X |
PageswNonPersist |
|
| X | X | X |
|
PageswPersistent |
|
| X | X | X |
|
PctPagesInUse |
|
| X | X | X |
|
PctwNonPersistent |
|
| X | X | X |
|
PctwPersistent |
|
| X | X | X |
|
TotalExtents |
|
|
|
|
| X |
TotalPages |
|
| X | X | X | X |
UnusedPages |
|
| X | X | X | X |
Buffer manager statistics
z/OS buffer manager statistics are monitored by MainView Middleware Monitor. A buffer pool is an area of main storage used for z/OS IBM MQ queues, messages, and object definitions.
Buffer manager statistics provide MainView Middleware Monitorusers with statistical data related to buffer pools. Using the statistics, you can optimize your environment and see the results in the Management Console z/OS Buffer Manager view.
To receive buffer manager statistics, you must have monitoring set on the queue manager.
In addition to the data received from the SMF record, MainView Middleware Monitorprovides calculated values. They are as follows.
Buffer Pool Hit Ratio:
Page Retrieval Efficiency:
Empty Page Request Ratio:
Asynchronous Writer Processor Efficiency:
BMC recommends using the settings shown in the table below for collecting history on z/OS buffer pools.
Real name | Attribute | Last | Count | Average | Min | Max | Total |
|---|---|---|---|---|---|---|---|
Buffer Pool Hit Ratio | QPSTBPHR |
|
| X | X | X |
|
Page Retrieval Efficiency | QPSTPRE |
|
| X | X | X |
|
Empty Page Request Ratio | QPSTEPRR |
|
| X | X | X |
|
Asynchronous Writer Processor Efficiency | QPSTAWPE |
|
| X | X | X |
|
Monitor queues in a queue sharing group
To reduce the amount of coupling facility and Db2 resources used while monitoring queue sharing groups, MainView Middleware Monitordetermines whether a queue is private or shared. Private queues include queues defined with QSGDISP(QMGR) or QSGDISP(COPY). Shared queues include queues defined with QSGDISP(SHARED).
If you want to prevent monitoring of shared queues, then modify the EAAXML file and set QSGMonitoringMode to QSGDISP_Always_PRIVATE. You might need to add the stanza to your EAAXML file. See the list below.
QSGMonitoringMode section
<ExtensionName>WebSphere MQ Monitor</ExtensionName>
<Preferences>
<PreferenceAttribute>
<PreferenceName>SampleInterval</PreferenceName>
<PreferenceValue>30</PreferenceValue>
</PreferenceAttribute>
<PreferenceAttribute>
<PreferenceName>ServicePort</PreferenceName>
<PreferenceValue>6001</PreferenceValue>
</PreferenceAttribute>
:
:
<PreferenceAttribute>
<PreferenceName>QSGMonitoringMode</PreferenceName>
<PreferenceValue>QSGDISP_Always_PRIVATE</PreferenceValue>
</PreferenceAttribute>
</Preferences>
The valid options for QSGMonitoringMode are:
- QSGDISP_DYNAMIC - If QSGMonitoringMode does not appear in the EAAXML file, then MainView Middleware Monitoruses this setting. All private and shared queues are monitored specifying QSGDISP.
- QSGDISP_Always_PRIVATE - Only private queues are monitored. This reduces the load on the Db2 database.
- QSGDISP_Dont_Specify - All private and shared queues are monitored without specifying QSGDISP.