Security requirements for Windows platforms

Security requirements depend on the administrative task that you want to perform.

The following table summarizes the requirements for administrative tasks. It shows what group membership is required if you are using a local security domain defined on your local system SALONE, or a primary domain named PRIMARY, or a trusted domain named TRUSTED. The contents of this table assume that you have created both the Configuration Manager and the User Name Server with the same security domain.

User is... Local domain (SALONE) Primary domain (PRIMARY) / Windows® Single domain (PRIMARY) Trusted domain (TRUSTED) / Windows Parent/Child domain in domain tree (TRUSTED)
Creating a broker, Configuration Manager, User Name Server, or database (with mqsicreatedb)
  • Must be a user ID defined in SALONE
  • Member of Administrators
  • Must be a user ID defined in PRIMARY
  • Member of SALONE\Administrators
  • Must be a user ID defined in TRUSTED
  • Member of SALONE\Administrators
Changing a broker, Configuration Manager, User Name Server, DatabaseInstanceMgr
  • Must be a user ID defined in SALONE
  • Member of Administrators
  • Must be a user ID defined in PRIMARY
  • Member of SALONE\Administrators
  • Must be a user ID defined in TRUSTED
  • Member of SALONE\Administrators
Deleting a broker, Configuration Manager, User Name Server, or database (with mqsideletedb)
  • Member of Administrators
  • Member of SALONE\Administrators
  • Member of SALONE\Administrators
Start of changeStarting a broker, Configuration Manager, User Name Server, or DatabaseInstanceMgr, or running the verification command mqsicvpEnd of change Start of change
  • Member of Administrators
End of change
Start of change
  • Member of SALONE\Administrators
End of change
Start of change
  • Member of SALONE\Administrators
End of change
Listing a broker, Configuration Manager, User Name Server, or DatabaseInstanceMgr
  • Must be a user ID defined in SALONE
  • User ID must have the authority to query the registry values under WebSphereMQIntegrator entry in the registry.
  • Member of mqbrkrs if issuing the command: mqsilist broker_name execution_group_name
  • Must be a user ID defined in PRIMARY
  • User ID must have the authority to query the registry values under WebSphereMQIntegrator entry in the registry.
  • Member of PRIMARY\Domain mqbrkrs if issuing the command: mqsilist broker_name execution_group_name
  • Must be a user ID defined in TRUSTED
  • User ID must have the authority to query the registry values under WebSphereMQIntegrator entry in the registry.
  • Member of TRUSTED\Domain mqbrkrs if issuing the command: mqsilist broker_name execution_group_name
Changing, displaying, retrieving trace information
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running a User Name Server (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
Running a DatabaseInstanceMgr (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running a Configuration Manager (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Member of mqm
  • Member of Adminstrators
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Member of SALONE\mqm 1
  • Member of SALONE/Adminstrators
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
  • Member of SALONE\mqm2
  • Member of SALONE/Adminstrators
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
Running a broker (WebSphere® MQ fastpath off) (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
Running a broker (WebSphere MQ fastpath on) (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Member of mqm
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Member of SALONE\mqm
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
  • Member of SALONE\mqm
  • Start of changeMust have the Logon as a service privilege in the Windows Local Security PolicyEnd of change
Clearing, joining, or listing WebSphere MQ Publish/Subscribe brokers
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running a Message Brokers Toolkit3
  • Must be a user ID defined in SALONE4. For example, SALONE\User1 is valid, PRIMARY\User2 and TRUSTED\User3 are not.
  • Regardless of whether domain awareness is enabled, when using Message Brokers Toolkit ACLs, user IDs must be members of any local ACL groups created on SALONE.
  • Regardless of whether domain awareness is enabled, when using Message Brokers Toolkit ACLs, user IDs must be members of any local ACL groups created on SALONE.
Running publish/subscribe applications
  • Must be a user ID defined in SALONE. For example, SALONE\User1 is valid, PRIMARY\User2 and TRUSTED\User3 are not.
  • Must be a user ID defined in PRIMARY. For example, PRIMARY\User2 is valid, SALONE\User1 and TRUSTED\User3 are not.
  • Must be a user ID defined in TRUSTED. For example, TRUSTED\User3 is valid, SALONE\User1 and PRIMARY\User2 are not.
Notes:
  1. If you are running in a primary domain, you can also:
    • Define the user ID in the domain PRIMARY.
    • Add this ID to the group PRIMARY\Domain mqm.
    • Add the PRIMARY\Domain mqm group to the group SALONE\mqm.
  2. If you are running in a trusted domain, you can also:
    • Define the user ID in the domain TRUSTED.
    • Add this ID to the group TRUSTED\Domain mqm.
    • Add the TRUSTED\Domain mqm group to the group SALONE\mqm.
  3. All Message Brokers Toolkit users need read access to the WebSphere MQ java \lib subdirectory of the WebSphere MQ home directory (the default location is X:\Program Files \WebSphere MQ , where X: is the operating system disk). This access is restricted to users in the local group mqm by WebSphere MQ. WebSphere Message Broker installation overrides this restriction and gives read access for this subdirectory to all users.
  4. If a valid user ID is defined in the domain used by the Configuration Manager (for example, PRIMARY\User4), an identical user defined in a different domain (for example, DOMAIN2\User4) can access the Message Brokers Toolkit with the authorities of PRIMARY\User4.
The following general notes also apply:
  1. Ensure that the service user ID has the required access to relevant directories of the product directory tree; for example, write access to the logs directory. If you have set a workpath for any component to a non-default value, ensure that the services user ID has appropriate access to this location.
  2. If you are running a Configuration Manager with one user ID and a broker with a different user ID on another computer, you might see an error message when trying to deploy message flows and message sets to the broker. To avoid this error:
    • Ensure that the broker's user ID is a member of the mqm and mqbrkrs groups.
    • Define the user ID for the broker on the computer where the Configuration Manager is running.
    • Define the user ID for the Configuration Manager on the computer where the broker is running.
    • Ensure that all user IDs are in lowercase so that they are compatible between computers.

Broker security requirements on Windows XP and Windows Server 2003

On Windows XP and Windows Server 2003, the service user ID must be a member of the mqbrkrs group and optionally a member of the Administrators group. As a member of the Administrators group, the service user ID has permission to access the registry keys of the broker so that it can access broker information. If the service user ID does not belong to the Administrators group, you can edit the Windows registry so that the service user ID can access the registry keys without having Administrators permissions.

The instructions for both operating systems are identical except where stated.

  1. Click Start > Run, enter regedit, and click OK. The Registry Editor opens.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\IBM\WebSphereMQIntegrator in the left pane.
  3. Right-click WebSphereMQIntegrator and select Permissions. The Permissions for WebSphereMQIntegrator window opens.
  4. Click Add below the list of Group or user names. The Select Users or Groups window opens.
  5. Click Advanced and then Find Now to list the current users and groups. From the list, select the mqbrkrs group to highlight it, and click OK twice.
  6. Click Advanced on the Permissions for WebSphereMQIntegrator window to set special permissions. The Advanced Security Settings for WebSphereMQIntegrator window opens.
  7. Highlight mqbrkrs and click Edit. The Permission Entry for WebSphereMQIntegrator window opens.
  8. Select Set Value, Create Subkey, and Delete and click OK.
  9. Ensure on Windows Server 2003 that Allow inheritable permissions is selected, or on Windows XP that Inherit from parent is selected, and click OK.
  10. Click OK to close the remaining windows, and then close the Registry Editor.
Related concepts
Security for runtime resources: Access control lists
Related tasks
Configuring security for domain components
Setting up broker domain security
Enabling topic-based security
Related reference
mqsicreateaclentry command
mqsideleteaclentry command
mqsilistaclentry command
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2009Copyright IBM Corporation 1999, 2009.
Last updated : 2009-01-07 15:22:49

ap08683_