| Author |
Message
|
| saurabh25281 |
 Posted: Fri Aug 12, 2016 12:54 pm Post subject: Requirement for Domain Controllers in Multi-Instance QMgr |
 |
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Hi All,
I am planning to setup a multi-instance Queue Manager v8.0.0.5 on a Windows 2012 R2 Server. The documentation says that both the Windows machines should be running as Domain controller.
https://www.ibm.com/support/knowledgecenter/SSKM8N_8.0.0/com.ibm.etools.mft.doc/fa70161_.htm
I spoke to my clients and they have raised security risks and wanted to explore other options rather than Domain controllers. So,
1. are there any other options available?
I looked into older posts which points out that the requirement is primarily due to the need for having same SID for both the mqm groups, which is only possible for domain local groups. So http://www./phpBB2/viewtopic.php?p=282032&sid=f3243ebdbc9ecdbb7935f49414ab8af7
2. Can we have domain local groups (mqm) created for my 2 Windows servers & file server, without making them run as DCs?
3. Are the other possibilities, as specified in the above links that are still valid, like creating sub-domain which can be used only for MQ servers.
4. Do you guys think MQ 8.0.0.5 is a stable version to work with? We are planning for a plain vanilla MQ setup for MQ-MQ intercommunication with some .Net application connecting our MQ servers.
Regards
Saurabh |
|
| Back to top |
|
 |
| exerk |
| Posted: Sat Aug 13, 2016 7:12 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Have a read of THIS - there is no requirement to have MI queue managers on DCs with the version of MQ you're going to use.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Tue Aug 16, 2016 2:31 am Post subject: Security in multi-instance QMgr on Windows |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Thanks for your link exerc.
I have another query. Please consider my security scenario and let me know what is the correct way of implementation.
In a normal implementation (single node MQ server) I would provide access to MQ users by creating a local mqusers group and provide access using setmqaut at group level. But in the case of a multi-instance Queue Manager on Windows, how do we implement the same scenario? The users I have are domain users.
Do we create Local groups on both server and add domain users into the group, or,
Do we create Global groups containing domain users and provide access to the Global group? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Aug 16, 2016 2:44 am Post subject: Re: Security in multi-instance QMgr on Windows |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| saurabh25281 wrote: |
Do we create Global groups containing domain users and provide access to the Global group? |
 And you have to run the MQ Service (see services.msc plugin) with the Domain ID that you set up as described in the infocenter 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Tue Aug 16, 2016 3:45 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Thanks for the quick response fjb_saper.
As per the infocenter the domain user under which MQ should run, should be a part of both the local mqm group and an alternate Global security group.
Do you not think that the domain user would be automatically configured for services.msc panel, if I perform the installation as a domain user. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Aug 16, 2016 5:01 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| saurabh25281 wrote: |
Do you not think that the domain user would be automatically configured for services.msc panel, if I perform the installation as a domain user. |
The post install processing is where you define the account that MQ is to run under. You will have preconfigured that in the DC with all the right properties (A lot easier under Server 2016)
The post processing checks the settings on the account then if good, it creates the service with the correct login credentials.
You have to perform the install as an Admin otherwise the installer won't have the right access to check the account privs etc.
Why don't you try it using an account that does not have the rights to check the account rights on the DC?
IBM wisely does not specify the account name that MQ runs under. If they did the security people in many companies with have an apoplectic fit. They want all sorts of security on these accounts.
One install I did, I had a security bod enter all the passwords for me.
Oh, and make sure that the account that MQ is using never expires. I've had many a battle with Security who mandated that all accounts expire every 'N' days.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
|
|
