| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Expiring DataSourcePassword |
« View previous topic :: View next topic » |
| Author |
Message
|
| vmcgloin |
 Posted: Wed May 15, 2002 4:44 am Post subject: Expiring DataSourcePassword |
 |
|
Knight
Joined: 04 Apr 2002
Posts: 560
Location: Scotland
|
Hi,
I know this is an administration problem not an MQSI one but here goes...
Our DataSourcePassword expires monthly - we then have to stop brokers, and use mqsichangebroker to change the password.
We have a high availability service & we are not strictly allowed to stop brokers for this kind of administration. However security will not allow a non-expiring password.
Is there any way round this that I am missing? How do other organisations manage this?
Thanks for reading this,
Vicky |
|
| Back to top |
|
 |
| GYR |
| Posted: Wed May 15, 2002 7:12 am Post subject: |
|
|
Acolyte
Joined: 23 Jan 2002
Posts: 72
|
vicky
You do not say what platform this is running on but you could do this in different ways, you could on Unix schedule a cron job that runs monthly and changes your password bsed on some algorithm at the same time ensuring that a mail/message is generated to the administrator so you know what is generated. This could also be done on NT. You would have to question why the profile that is running your broker also needs to be changed on such a frequency. On Unix you could create a profile that runs the required broker processes and if necessary a seperate on for the database accesses both of which can be set to so that is not a log on enabled profile but would be accessible by root. something similar could be arranged on NT with Domain Users or even a user that is only made known to admin people. |
|
| Back to top |
|
|
| vmcgloin |
| Posted: Wed May 15, 2002 8:26 am Post subject: |
|
|
Knight
Joined: 04 Apr 2002
Posts: 560
Location: Scotland
|
Thanks for the reply.
We are using AIX (and MQSIv202) so your comments about cronjobs are useful. However the problem is that when the password is changed, we have to stop the broker before using mqsichangebroker.
You say that we could set the Datasource userid so that it is
| Quote: |
| not a log on enabled profile but would be accessible by root |
. We tried this - I'm not sure exactly what the AIX admin did but when I tried to use mqsilist or mqsistop/start a load or 'unable to access database' errors were produced so we had to give up on that. Is this somethng that you have had working?
Thanks again,
Vicky |
|
| Back to top |
|
|
| GYR |
| Posted: Wed May 15, 2002 8:53 am Post subject: |
|
|
Acolyte
Joined: 23 Jan 2002
Posts: 72
|
Vicky,
What we did was have a profile that ran the process on aix which was set in a way that allowed the profile to run all broker utilities i.e it was part of the mqbrkrs group. We also had aprofile that was part of the DB2 authority group which we then used in the mqsicreatebroker DataSource bit etc. Both profiles were given the authority they needed to do their specific tasks and then the profile was set that it was unable to logon an interactive session. It was also only known to those that needed to know (as well a sthe profiles corresponding passwords) and all worked fine. The only difference here is that we would only change the broker say every 6 months and this was done at a convenient down time by admin people. You unfortunately are not able to change this without taking the broker down even if it is only for the shortest of periods, hence the longevity of keepng the same password etc. The said company policy was to change on a monthly basis but this in reality is unrealistic for WMQI if you hav eto have the service running 24/7 or whatever. |
|
| Back to top |
|
|
| CodeCraft |
| Posted: Fri May 17, 2002 4:00 am Post subject: |
|
|
Disciple
Joined: 05 Sep 2001
Posts: 195
|
| If 24/7 is necessary, why not have a backup broker. You could bring up the backup, and bring down the primary, to do the password changes, and either switch back, or just rotate from month to month or something like that? |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
