ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General Discussion » Security Issue on Windows

Post new topic  Reply to topic
 Security Issue on Windows « View previous topic :: View next topic » 
Author Message
mqrules
PostPosted: Sat Jul 09, 2005 11:10 am    Post subject: Security Issue on Windows Reply with quote

Centurion

Joined: 01 Jun 2005
Posts: 100
Location: US
As a business decision, we soon have to move from the NT domain to Active Directory. MQ (5.3 CSD08) has been installed on the Windows2000 servers with the local userid MUSR_MQADMIN whcih does not have access to AD. We also have WBI on a couple of servers. We have been told by the network people that we have to run MQ under a domain id (in AD). To that end:

1- There will be a domain group in Active directory, say , ADDOMAIN.
2- MQ Service id will be created in AD: AD\USER1 which will be a member of ADDOMAIN which inturn will be a memeber of the local mqm group on each server.
3- Read access to AD will be given to ADDOMAIN
4- We will switch the userid that MQSeries service runs under, fromMQUSR_MQADMIN to AD\USER1 (on each server).

This is likely to cause some distruption to the business processes during the migration. Hard to belive that MQ cannot handle (or does not care about ) SI D histroy. I am just wondering if any of you have gone thru the same thing and running your MQ under a domain ID. Also, your thoughts about moving to AD. IBM confirmed that that MQ does not deal with the histor y of SID.

TIA.
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Sat Jul 09, 2005 12:27 pm    Post subject: Q Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981
I don't understand the point about SID history, but then I am not an Windows security expert.

There are some very specific permissions that MQ service users need against an Active Directory. These are detailed in the System Admin guide or the Quick Beginnings guide for Windows. Merely giving it "read" access may not be sufficient.

You do not have to reinstall MQ to change the service user, merely re-run the Security Wizard.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Sat Jul 09, 2005 3:08 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722
mqrules,
Had TONS of fun with the first MQ server we had to add to an AD domain. We are at 5.3.0.8 too.

Look at Chapter 11 of the Windows Quick Beginings Manual, it specifically deals with this issue.
http://www-306.ibm.com/software/integration/mqfamily/library/manualsa/manuals/platspecprev.html


Also, check out this link if the server in question is Windows 2003:
http://www-1.ibm.com/support/docview.wss?rs=172&context=SW900&q1=windows+2003&uid=swg21157290&loc=en_US&cs=utf-8&lang=en



At a high level, you will need a domain group called exactly "domain mqm" (no quotes). In there you will create a domain ID that will replace MUSR_MQADMIN. We made it mqadmin_ad. Note the password.


Now when you install MQ, answer Yes to that Network PreReq question. When your install is done, you will see that domain mqm group automatically inserted in the local mqm group.

Because MQ on Windows does not like nested groups, you will manually have to add that domain ID (mqadmin_ad) that is in domain mqm into your local mqm group, even though the domain mqm group is already there.

Finally, if that lousy Wizard at the end of the install actually works, tweak MQ to run under madmin_ad, or whatever ID you chose up above . Odds are it wont work. If the Wizard throws an error, cancel out of the Wizard, and manually change the ID thru Start…Administrative Tools…Component Services…Computer…My Computer…DCOM…IBM MQSeries…Right Click…Identity tab. Set the ID to AD/mqadmin_ad.

Make sure it all works by opening both MQExplorer and MQ Services on the MQ server. Make sure both tools work 100%, and you are good to go.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
mqrules
PostPosted: Sat Jul 09, 2005 5:40 pm    Post subject: Reply with quote

Centurion

Joined: 01 Jun 2005
Posts: 100
Location: US
Thanks, Peter for your input. I have been playing around with this AD stuff in the lab for sometime now, and everything works just fine...

mr
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General Discussion » Security Issue on Windows
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.