IBM MQ sits at the center of payment, logistics, and integration estates—carrying payloads that must not be read, forged, or replayed by unauthorized parties. Security is not a single switch: it layers connection authentication, channel rules, object authority, TLS cryptography, optional Advanced Message Security for payload signing and encryption, and on z/OS integration with RACF or equivalent external security managers. This roadmap page is the chapter-eight entry point for the tutorial series listed in MQ_PAGES.md: it orders topics for beginners and architects, proposes phased implementation from lab to production, maps each tutorial slug to outcomes, highlights dependencies (you cannot tune CHLAUTH SSLPEER maps before understanding MCAUSER), and points to existing pages already published such as 2035 errors, MCAUSER security, and pub/sub authority while marking upcoming tutorials for CONNAUTH, setmqaut, and cipher suites. Use it as a checklist when hardening a new queue manager or auditing an estate that grew faster than its security design.
Before MQSC changes, document every listener port, every SVRCONN and RCVR channel, every client application user ID, and every queue manager that participates in clusters. Identify internet-facing paths versus mainframe-only Sysplex traffic. List default MCAUSER values, whether CHLAUTH is enabled (it should be on current releases), and whether CONNAUTH objects exist or default connection handling applies. Risk rank paths that move PCI, PII, or wire-transfer instructions. This phase produces no configuration change but prevents locking out production batch jobs because you blocked a channel nobody documented.
Implement CONNAUTH to require password, LDAP, or certificate authentication for client connections per policy. Deploy CHLAUTH rules: block default wide-open SVRCONN, allow known IP ranges or certificate DNs, map partners to least-privilege MCAUSER. Pair with TLS on listeners and channels—mutual TLS where partners support it. Tutorials planned in this series: CONNAUTH, IDPWOS, LDAP authentication, CHLAUTH, SSL/TLS, SSLPEER rules, cipher suites, certificate renewal. Existing related content: channel authentication failures, sslciph, mcauser-security.
| Topic | Tutorial slug | Outcome |
|---|---|---|
| Security model | mq-security-model | Understand layers |
| OAM / setmqaut | setmqaut | Grant put/get/alt |
| CONNAUTH | connauth | Control client login |
| CHLAUTH | chlauth | Channel partner rules |
| TLS | ssl-tls | Encrypt wire |
| AMS | ams | Sign/encrypt payload |
| RACF | racf-integration | z/OS profiles |
Move from default-allow legacies to explicit grants: queue read for consumers, put for producers, inhibit for admin-only queues, topic and subscription authorities for pub/sub, channel authority for operations scripts. Use dspmqaut in audits. Group principals on distributed; RACF groups on z/OS. Separate monitoring IDs with browse-only where possible. Tutorials: setmqaut, dspmqaut, OAM permissions, queue permissions, topic permissions, channel permissions, principal and group permissions.
Where regulations require payload confidentiality beyond TLS hop-by-hop, evaluate Advanced Message Security for signing and encryption. On z/OS, align MQPROFILE and RACF definitions with enterprise access management. Review AMS, message encryption, and z/OS security tutorials in this series. Ensure key management and certificate renewal are operational procedures, not annual emergencies.
Perimeter fence is TLS and firewall. Reception desk checks ID—CONNAUTH. Hall monitors verify which corridor you may enter—CHLAUTH and MCAUSER. Each office door has a badge reader—OAM on queues and topics. A safe inside the office is AMS on message payload.
You fix a treehouse by first learning what locks exist, then locking the ladder, then deciding which friends may put toys in which box—one step at a time so you do not trap yourself inside.
Write a one-page inventory template for a single queue manager security review.
Order these activities: enable TLS, define CONNAUTH, grant setmqaut put, block CHLAUTH default—justify sequence.
Which phase fixes a partner connecting but getting 2035 on PUT?
1. Authentication answers:
2. Authorization answers:
3. TLS primarily protects:
4. Sensible first hardening step: