Considering security for a Configuration Manager

Start of changeDetermine the security characteristics and group membership required for user IDs to perform tasks associated with the Configuration Manager.End of change

Start of changeConsider the characteristics and group membership required for user IDs that perform the following functions:
  • Run as a service user ID (running the Configuration Manager)
  • Process Configuration Manager commands
  • Access the Configuration Manager queues.
End of change

An ACL is associated with the Configuration Manager itself. Users or groups that have full-control membership of the Configuration Manager's ACL implicitly have full-control membership of all other ACLs. Full-control membership of the Configuration Manager's ACL also allows users or groups to modify the ACLs for any object, including the Configuration Manager.

Read the appropriate sections in this list:

  1. Deciding which user accounts can process Configuration Manager commands
  2. Deciding which user account to use for the Configuration Manager service ID
  3. Setting security on the Configuration Manager's queues
  4. Running the Configuration Manager in a domain environment

Deciding which user accounts can process Configuration Manager commands

During this task you decide what permissions are required for the user IDs that:
  • Create, change, list, delete, start, and stop a Configuration Manager
  • Display, retrieve, and change trace information.

Answer the following questions:

  1. Start of changeIs your Configuration Manager running on a Linux® or UNIX® operating system?
    1. No: Go to the next question.
    2. Yes: Ensure that your user ID is a member of the mqbrkrs group.

      Go to Deciding which user account to use for the Configuration Manager service ID

    End of change
  2. Are you running Configuration Manager commands under a Windows® local account?
    1. No: Go to the next question.
    2. Yes: Assume that your local account is on a computer named, for example, WKSTN1. When you create a Configuration Manager, ensure that your user ID is defined in your local domain. When you create or start a Configuration Manager, ensure that your user ID is a member of WKSTN1\Administrators.

      Go to Deciding which user account to use for the Configuration Manager service ID

  3. Are you running Configuration Manager commands under a Windows domain account?
    1. Yes: Assume that your computer named, for example, WKSTN1, is a member of a domain named DOMAIN1. When you create a Configuration Manager using, for example, DOMAIN1\user1, ensure that DOMAIN1\user1 is a member of WKSTN1\Administrators.

      Go to Deciding which user account to use for the Configuration Manager service ID

Deciding which user account to use for the Configuration Manager service ID

Start of changeWhen you run the mqsistart command with a user ID that is a member of the mqm and mqbrkrs groups, the user ID under which you run the mqsistart command becomes the user ID under which the Configuration Manager component process will run.End of change

Answer the following questions:

  1. Start of changeIs your Configuration Manager running on a Linux or UNIX operating system?
    1. No: Go to the next question.
    2. Yes: Ensure that your user ID is a member of the mqbrkrs group.

      Go to Setting security on the Configuration Manager's queues.

    End of change
  2. Do you want your Configuration Manager to run under a Windows local account?
    1. No: Go to the next question.
    2. Yes:
      Ensure that your user ID has the following characteristics:
      • It is defined in your local domain
      • It is a member of the mqbrkrs group
      • It is a member of the mqm group
      • It is a member of the Administrators group
      • Start of changeIt has been granted the Logon as a service privilege in the Local Security Policy in Windows, which you can access by selecting Control Panel > Performance and maintenance > Administrative Tools > Local Security Policy.End of change

      Go to Setting security on the Configuration Manager's queues.

  3. Do you want your Configuration Manager to run under a Windows domain account?
    1. Yes: Assume that your computer named, for example, WKSTN1, is a member of a domain named DOMAIN1. When you run a Configuration Manager using, for example, DOMAIN1\user1, ensure that:
      1. Start of changeuser1 is defined in DOMAIN1End of change
      2. DOMAIN1\user1 is a member of DOMAIN1\Domain mqbrkrs
      3. DOMAIN1\user1 is a member of WKSTN1\mqm
      4. DOMAIN1\Domain mqbrkrs is a member of WKSTN1\mqbrkrs
      5. DOMAIN1\user1 is a member of WKSTN1\Administrators
      6. Start of changeThe user ID (user1) has been granted the Logon as a service privilege in the Local Security Policy in Windows, which you can access by selecting Control Panel > Performance and maintenance > Administrative Tools > Local Security Policy.End of change

      Go to Setting security on the Configuration Manager's queues.

Setting security on the Configuration Manager's queues

Start of changeWhen you run the mqsicreateconfigmgr command, the mqbrkrs group is granted access authority to the following queues:
  • SYSTEM.BROKER.CONFIG.QUEUE
  • SYSTEM.BROKER.CONFIG.REPLY
  • SYSTEM.BROKER.ADMIN.REPLY
  • SYSTEM.BROKER.SECURITY.QUEUE
  • SYSTEM.BROKER.MODEL.QUEUE.
End of change

Start of changeBrokers and User Name Servers communicate with the Configuration Manager through these queues. If they run on the same computer as the Configuration Manager, you do not need to do anything else to enable them to communicate. However, if they are running on a different computer, you must ensure that their service ID exists on the computer that is running the Configuration Manager, and either add that user account to the mqbrkrs group or grant it explicit MQ access to put messages to the Configuration Manager's queues.End of change

Administrators using either commands or the Toolkit need the authority to put messages to the Configuration Manager's queues. You can use the mqsicreateaclentry command to create the required access to WebSphere® MQ.

Running the Configuration Manager in a domain environment

Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2009Copyright IBM Corporation 1999, 2009.
Last updated : 2009-01-07 15:22:49

ap03984_