Considering security for a broker

Several factors must be considered when you are deciding which users can execute broker commands and which users can control security for other broker resources.

When you are deciding which users are to perform the different tasks, consider the following steps:

  1. Deciding which user accounts can process broker commands
  2. Deciding which user account to use for the broker service ID
  3. Setting security on the broker's queues
  4. Enabling topic-based security in the broker

Deciding which user accounts can process broker commands

Decide which permissions are required for the user IDs that:
  • Create, change, list, delete, start, and stop brokers
  • Display, retrieve, and change trace information

Answer the following questions:

  1. Is your broker installed on a Linux® or UNIX® operating system?
    1. No: Go to the next question.
    2. Start of changeYes: Ensure that your user ID has the following characteristics:
      • It is a member of the mqbrkrs group
      • If it will be used to create or delete a broker, it must be a member of the mqm group

      Go to Deciding which user account to use for the broker service ID.

      End of change
  2. Start of changeAre you processing broker commands under a Windows® local account?
    1. No: Go to the next question.
    2. Yes: Assume that your local account is on a computer named, for example, WKSTN1.
      Ensure that your user ID has the following characteristics:
      • It is a member of the mqbrkrs group.
      • If it will be used to create a broker, the user ID must be defined in your local domain.
      • If it will be used to create or start a broker, the user ID must be a member of the Administrators group (for example, WKSTN1\Administrators).
      • If it will be used to create or delete a broker, the user ID must be a member of the mqm group.

      Go to Deciding which user account to use for the broker service ID.

    End of change
  3. Are you processing broker commands under a Windows domain account?
    1. Start of changeYes: Assume that your computer named, for example, WKSTN1, is a member of a domain named DOMAIN1.
      Ensure that the user ID has the following characteristics:
      • It is a member of the mqbrkrs group.
      • If it will be used to create a broker, the user ID must be defined in your local domain.
      • If it will be used to create or start a broker, the user ID must be a member of the Administrators group. For example, if you create a broker using DOMAIN1\user1, ensure that DOMAIN1\user1 is a member of WKSTN1\Administrators.
      • If it will be used to create or delete a broker, the user ID must be a member of the mqm group.

      Go to Deciding which user account to use for the broker service ID.

      End of change

Deciding which user account to use for the broker service ID

Start of changeWhen you run the mqsistart command with a user ID that is a member of the mqm and mqbrkrs groups, the user ID under which you run the mqsistart command becomes the user ID under which the broker component process will run.End of change

Answer the following questions:

  1. Is your broker installed on a Linux or UNIX operating system?
    1. No: Go to the next question.
    2. Start of changeYes: Ensure that the user ID is a member of the mqbrkrs group.

      Go to Setting security on the broker's queues.

      End of change
  2. Do you have any existing brokers running on this Windows system?
    1. No: You can choose a service ID for the broker. Go to the next question.
    2. Yes: On the Windows platform, all brokers must run with the same service ID. Use your existing service ID when you create the new broker.
  3. Do you want your broker to run under a Windows local account?
    1. No: Go to the next question.
    2. Start of changeYes: Ensure that your user ID has the following characteristics:
      • It is defined in your local domain.
      • It is a member of the mqbrkrs group.
      • It has been granted the Logon as a service privilege in the Local Security Policy in Windows, which you can access by selecting Control Panel > Performance and maintenance > Administrative Tools > Local Security Policy.

      Go to Setting security on the broker's queues.

      End of change
  4. Do you want your broker to run under a Windows domain account?
    1. Yes: Assume that your computer named, for example, WKSTN1, is a member of a domain named DOMAIN1. When you run a broker using, for example, DOMAIN1\user1, ensure that:
      • Start of changeYour user ID has been granted the Logon as a service privilege (from the Local Security Policy).End of change
      • DOMAIN1\user1 is a member of DOMAIN1\Domain mqbrkrs.
      • DOMAIN1\Domain mqbrkrs is a member of WKSTN1\mqbrkrs.
      • The user ID has been granted the Logon as a service privilege in the Local Security Policy in Windows, which you can access by selecting Control Panel > Performance and maintenance > Administrative Tools > Local Security Policy.

      Go to Setting security on the broker's queues.

Start of change

Setting security on the broker's queues

When you run the mqsicreatebroker command, the local mqbrkrs group is granted access to internal queues whose names begin with the characters SYSTEM.BROKER. Do no change this ACL because it is required for the broker to function correctly.

The Configuration Manager controlling the broker puts messages to SYSTEM.BROKER.ADMIN.QUEUE. If your Configuration Manager is on the same computer as your broker, its service ID will be in the mqbrkrs group, therefore no further action is required. If the Configuration Manager is on a different computer, ensure that its service ID is defined to the computer that is running the broker, and ensure that it has WebSphere® MQ access to put messages to SYSTEM.BROKER.ADMIN.QUEUE.

If you use collectives for publish/subscribe, other brokers in your domain must put messages to SYSTEM.BROKER.INTERBROKER.QUEUE. Therefore their service IDs require authority to put messages to that queue.

End of change

Enabling topic-based security in the broker

Perform this task by responding to the following question:

Do you want to enable topic-based security in the broker?
  1. Yes: Go to Enabling topic-based security.
  2. No: Go to Considering security for a Configuration Manager.
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2009Copyright IBM Corporation 1999, 2009.
Last updated : 2009-01-07 15:22:48

ap03982_