| Author |
Message
|
| raam |
 Posted: Sat Jul 02, 2011 3:01 am Post subject: Need to Change 'mqm' and 'mqbrk' passwords |
 |
|
Apprentice
Joined: 14 May 2011
Posts: 29
|
Hi,
In our work environment (Test and Prod), we have 1 Qmgr and 1 Broker setup in each of the two AIX servers.
Both, the Config Manager CMGR00 and the Message Broker are using the
same MQ Queue Manager in each server.
AIX- V5.3
WMB- V6.1.0.9
WMQ- V6.0.2.5
Now, it's a required task by our AIX admin to change the existing passwords for all users on AIX including 'mqm' and 'mqbrk'. As a novice, I basically wish to know if there are any effects up on making the changes.
There are 3 Databases that Broker needs to access.
There is no MQ security or advanced features setp up in our environment (no ssl, pub/sub). It is basically a non-complex one.
So I need to understand what factors I will need to ensure to take care of prior/after changing the passwords, so that everything continues to function as expected post-changes. Kindly let me know if any other information would be required.
Thank you. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Jul 02, 2011 4:36 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Tell your administrators to change the setup.
Make the mqm and mqbrk non login users
Have them grant sudo su - <user> to your login user for these 2 users.
Have them declare these 2 users to be service users with a password that does not change...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| raam |
| Posted: Sat Jul 02, 2011 4:58 am Post subject: |
|
|
Apprentice
Joined: 14 May 2011
Posts: 29
|
Thanks a lot for your response.
We will be implementing the same what you have suggested soon across all environments and then push it into Production. It is the perfect thing to be done. (Presently, I login as my user and then do 'su -mqm' or 'su - mqbrk'.)
So my main concern is that, if the passwords were to be changed for the 2 users, will it affect any current functionality, especially that of Broker and the accessibility to the DBs?
I did go through the below link-
http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/topic/com.ibm.etools.mft.doc/an28150_.htm
But I just think I need more clarity on this before our AIX admin can change the 'mqm' and 'mqbrk' passwords and then make them as non-login users, etc.
Thanks again  |
|
| Back to top |
|
|
| Vitor |
| Posted: Sat Jul 02, 2011 6:46 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| raam wrote: |
| So my main concern is that, if the passwords were to be changed for the 2 users, will it affect any current functionality, especially that of Broker and the accessibility to the DBs? |
Yes - most of the functionality will fail with invalid password errors.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Jul 02, 2011 10:40 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
ideally you don't want the admins to change the passwords. You want them to make the users non login users, i.e. service users.
You then want the admins to control access to the same users hence you don't su to them, you'll have to sudo to them. This means as well that each sudo command is logged (compliance)...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Sat Jul 02, 2011 11:41 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| You then want the admins to control access to the same users hence you don't su to them, you'll have to sudo to them. This means as well that each sudo command is logged (compliance)... |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| raam |
| Posted: Sat Jul 02, 2011 11:56 pm Post subject: |
|
|
Apprentice
Joined: 14 May 2011
Posts: 29
|
Thanks so much, both of you.
I happened to get in touch with our previous MQ admin that had set up MQ and MB but no longer works at my client. He mentioned that I shouldn't have any issue changing passwords as those are admin accounts, and they are not being used on any of the flow or database level.
Ideally, we will have these users set up henceforth as service users. But I will go ahead and change the password in the test env and validate for any issues. Our AXI admin insists on changing the passwords are they have never been changed in a very long time and are old. Following this, he will have them set up as service accounts.
I shall revert back based on my findings. Thanks a ton |
|
| Back to top |
|
|
|
|
