On z/OS, IBM MQ does not own the master list of who may access corporate resources. That role belongs to the external security manager (ESM)—the product installed system-wide to answer SAF authorization requests. IBM RACF is the default choice in many IBM-centric enterprises; Broadcom Top Secret and CA ACF2 serve the same role at other sites. MQ administrators who know setmqaut on Linux must partner with ESM teams on mainframe: you supply queue manager names, queue names, channel identities, and required access; they implement profiles, audit options, and emergency revocation. This tutorial compares the three major ESMs in relation to MQ, explains the SAF boundary, documents operational handoffs, covers hybrid environments where distributed OAM and z/OS ESM both apply, and gives beginners vocabulary for security meetings without claiming vendor-specific syntax that varies by release and site standards.
Every ESM integrates through SAF. MQ is unaware of whether RACF or ACF2 answered—the call is “authorize this user on this class/profile/access.” That abstraction lets enterprises switch or coexist with migration programs (rare but documented in large mergers). MQ documentation lists resource classes and profile conventions; ESM documentation lists how to create and audit those profiles. Your job on the MQ side is accurate resource naming and least privilege requirements, not writing RACF rules without security team review.
| ESM | Vendor | MQ administrator note |
|---|---|---|
| RACF | IBM | Most IBM MQ z/OS examples; SMF audit integration familiar to operations |
| Top Secret | Broadcom | Use Top Secret admin guides with IBM MQ class names |
| ACF2 | Broadcom (CA) | ACF2 rules and reporting differ; same SAF entry from MQ |
| OAM (distributed) | IBM MQ | Not an ESM—used on Linux/Windows queue managers instead of RACF |
RACF stores profiles in classes such as those defined in IBM MQ for z/OS security manuals (MQQUEUE, MQCONN, and others per release). Commands like RDEFINE, PERMIT, and SETROPTS RACLIST are security team tools. MQ defines which operations require which access levels. Integration testing uses real user IDs and started tasks, not the MQ administrator’s personal ID alone. RACF also controls who may issue superuser MQ commands—separate from application put and get. See the RACF integration tutorial in this series for profile-oriented detail.
ACF2 sites implement access rules and INFOTYPE records according to ACF2 methodology. MQ still calls SAF; ACF2 enforces. Naming conventions may differ from RACF examples in IBM redbooks—translate IBM’s RACF-oriented profile names to ACF2 equivalents with your security architect. Audit trails use ACF2 reporting. Hybrid project teams must not paste RACF JCL from the internet into ACF2 systems without conversion.
Top Secret uses its resource and facility model. MQ resource classes appear in Top Secret administration with vendor documentation mapping IBM MQ access to Top Secret privileges. As with ACF2, the MQ object model is unchanged—only administration syntax differs. Training materials for new MQ hires should state which ESM the site runs to avoid confusion in classrooms that default to RACF slides.
The external security manager is the single guard rulebook for the mainframe building. IBM MQ rooms (queues) have entries in that book. CICS and Db2 use the same book, so one fired employee badge stops everything at once.
Modern architectures connect Linux queue managers to z/OS queue managers with channels. Linux side uses setmqaut on queues and CHLAUTH for connections. z/OS side uses ESM profiles for the MCAUSER or mapped user that arrives on the channel. End-to-end security reviews must list both sides. A fully authorized Linux service ID is useless if the z/OS ID mapped at the channel lacks RACF UPDATE on the target queue. Conversely, perfect RACF profiles fail if the Linux client cannot connect or lacks put authority on the remote queue definition path.
1234Distributed QM_Linux --[channel TLS]--> z/OS QM_MAIN Linux: setmqaut -p APPUSER +put on REMOTE.Q z/OS: RACF PERMIT on profile for APPUSER (or mapped MCAUSER) on queue resolved on QM_MAIN
Greenfield z/OS today still picks an ESM at the platform level, not per MQ. MQ follows that decision. Mergers that consolidate ESMs require massive profile migration projects—MQ is one consumer among hundreds. Plan MQ regression tests for 2035 rates, channel starts, and CSQ admin commands after ESM migration milestones.
Regulators ask who can read production payment queues. ESM reports answer for z/OS; dspmqaut and AUTHREC reports answer for distributed. Architecture diagrams for hybrid flows should show both. SOS and break-glass IDs require extra monitoring on ESM audit trails.
The external security manager is the one boss who keeps the list of who may enter every room; IBM MQ asks that boss before opening a door.
Create an access matrix template with columns for object, Linux setmqaut, and z/OS ESM profile.
Describe a channel from Linux to z/OS and list security owners for each hop.
Explain why teaching only RACF syntax fails at an ACF2 shop.
1. ESM examples include:
2. MQ on z/OS authorizes via:
3. setmqaut is primarily for:
4. ESM admin owns: